|
|
|
Can Someone Pleas Help Me
|
|
|
frnresq
Junior Member
|
13. November 2006 @ 13:12 |
Link to this message
|
Ok, i scanned my pc with ewido and found quite a few virus's and quarantined them, then went to safe mode and didnt find anything. Now when i click on my IE icon on my deskstop it wont bring up my browser.
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 6:09:52 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\winasse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\Intel\rundll32.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HJT\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O1 - Hosts: 61.152.90.31 zt.abcoll.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
|
|
Advertisement
|
 |
|
|
|
frnresq
Junior Member
|
14. November 2006 @ 10:24 |
Link to this message
|
Anyone Please, ran Smitfraudfix and AVG....new HjT log
Logfile of HijackThis v1.99.1
Scan saved at 3:23:13 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\Intel\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O1 - Hosts: 61.152.90.31 zt.abcoll.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
|
Senior Member
|
15. November 2006 @ 16:58 |
Link to this message
|
Hello frnresq, sorry for the late reply. Been very busy around here with limited help.
There's a few bed entires in your log. Let's see what AVG Anti-spyware can remove any before we try removing manually.
Go here to download the trial version of AVG Anti-spyware.
Install and open AVGAS.
Click "Update" then click "Start update".
After updating, close AVGAS.
Note: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).
Open AVGAS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report" and save it to the desktop.
Restart in normal mode.
Go to Virus Total file scan
Click "Browse" beside the "Select file" area.
Find and select this file:
C:\WINDOWS\Intel\rundll32.exe
Click 'Send".
Copy/paste the results and save to Notepad.
Please post back with the AVGAS report, the VirusTotal results and a new HijackThis log.
|
|
frnresq
Junior Member
|
17. November 2006 @ 00:28 |
Link to this message
|
General properties
Report name Complete Test
Start time 11/16/2006 21:40
End time 11/16/2006 10:34:02 PM (total: 53:08.9 Min)
Launch method Scanning launched manually
Scanning result No threats found
Report status Scanning completed successfully
Object summary
Scanned 47125
Threats Found 0
Cleaned 0
Moved to vault 0
Deleted 0
Errors 1
C:\WINDOWS\system32\mssync20.exe Reading error Error
VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.
Select file : DistributeSSL
Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.
STATUS: FINISHEDComplete scanning result of "rundll32.exe", received in VirusTotal at 11.17.2006, 11:22:54 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.39 11.17.2006 TR/PSW.Delf.LX.33
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.15.2006 no virus found
AVG 386 11.16.2006 PSW.Generic2.RDL
BitDefender 7.2 11.17.2006 Trojan.Agent.BX
CAT-QuickHeal 8.00 11.16.2006 no virus found
ClamAV devel-20060426 11.16.2006 no virus found
DrWeb 4.33 11.17.2006 Trojan.PWS.Zhengtu
eTrust-InoculateIT 23.73.58 11.17.2006 no virus found
eTrust-Vet 30.3.3197 11.17.2006 Win32/Lineage!generic
Ewido 4.0 11.17.2006 Trojan.Delf.lx
Fortinet 2.82.0.0 11.17.2006 no virus found
F-Prot 3.16f 11.16.2006 no virus found
F-Prot4 4.2.1.29 11.17.2006 no virus found
Ikarus 0.2.65.0 11.16.2006 Backdoor.Win32.HacDef.084
Kaspersky 4.0.2.24 11.17.2006 Trojan-PSW.Win32.Delf.lx
McAfee 4897 11.16.2006 PWS-Lineage
Microsoft 1.1609 11.17.2006 no virus found
NOD32v2 1869 11.16.2006 Win32/PSW.Lineage.DN
Norman 5.80.02 11.17.2006 W32/Lineage.ANQQ
Panda 9.0.0.4 11.16.2006 Trj/Lineage.AUT
Prevx1 V2 11.17.2006 Malware:SysCovert
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.120 11.17.2006 no virus found
UNA 1.83 11.16.2006 no virus found
VBA32 3.11.1 11.16.2006 suspected of Trojan-PSW.Lineage.1
VirusBuster 4.3.15:9 11.16.2006 no virus found
Aditional Information
File size: 78336 bytes
MD5: f9a39dafc6567986211101694fd7bd7c
SHA1: 89f2b13541f17ba65fcf76b37e7dbce4c2f57eb0
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Ir a: Inicio Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com
Logfile of HijackThis v1.99.1
Scan saved at 5:26:32 AM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\Intel\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
D:\HJT\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O1 - Hosts: 61.152.90.31 zt.abcoll.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
|
Senior Member
|
17. November 2006 @ 08:46 |
Link to this message
|
Did you run AVGAS? If not please do so in safe mode. Then save the report and post it in your next reply.
In normal mode run a scan only with HijackThis, check these:
O1 - Hosts: 61.152.90.31 zt.abcoll.com
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
Close all windows except HijackThis, then click "Fix checked".
Restart in normal mode and delete these files:
Note: Do not confuse these with legit files in other locations. Only delete these files in these locations.
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\WINLOGON.EXE
C:\Program Files\Common Files\update\update.exe
Empty the Recycle Bin and run AVGAS if you haven't.
Restart in normal mode.
Please post back with the AVGAS report and a new HijackThis log.
|
|
frnresq
Junior Member
|
17. November 2006 @ 10:48 |
Link to this message
|
i ran a avgas in safe mode last night/this morning, didnt find anything, but i ran when i first posted and found quite a bit but i didnt save the report, sorry. But ill run HjT again real quick.
|
|
frnresq
Junior Member
|
17. November 2006 @ 11:04 |
Link to this message
|
|
Ok, i looked for those files and only found the 2nd one and deleted it, when i reboot and on start up i get a box that pops up "error loading KB8962445.log" for some reason. And do i need to run AVGAS again?
|
Senior Member
|
17. November 2006 @ 20:45 |
Link to this message
|
I forgot to mention to show hidden files and folders. That may be why you can't find the others.
Show hidden files and folders.
Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
Click Apply, then OK.
Then, look for the files and delete if found. If you delete anything restart after.
There really isn't a need to run AVGAS again. But I would have liked to see the log. :( It's okay though. Just post a new HijackThis log after looking for the other files.
|
|
frnresq
Junior Member
|
18. November 2006 @ 04:32 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 8:01:04 AM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
|
Senior Member
|
18. November 2006 @ 10:17 |
Link to this message
|
Go here and download KillBox.
Open Killbox.exe.
Check "Delete on Reboot".
Single file will start blinking green.
In the "Full Path of File to Delete" box, copy/paste this path:
C:\WINDOWS\WINLOGON.EXE
Then, click the red button with a white X. You will be prompted to restart, click No.
Exit KillBox.
Run a scan only with HijackThis and fix these:
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
Restart your computer.
Go here to run Kaspersky Online Scanner.
After downloading, click "My Computer" to scan.
After scanning, click "Save report as".
Save as a text file on the desktop.
Post back with the Kaspersky log and a new HijackThis log.
|
|
frnresq
Junior Member
|
18. November 2006 @ 17:56 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 10:54:42 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 18, 2006 10:53:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/11/2006
Kaspersky Anti-Virus database records: 229090
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 70211
Number of viruses found: 4
Number of infected objects: 20 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:39:52
Infected Object Name / Virus Name / Last Action
C:\!KillBox\WINLOGON.EXE Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shane Farr\.housecall6.6\Quarantine\ismini.exe.bac_a02272 Infected: Trojan-Downloader.Win32.Zlob.aee skipped
C:\Documents and Settings\Shane Farr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shane Farr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shane Farr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shane Farr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shane Farr\Local Settings\Temp\~DF5BE5.tmp Object is locked skipped
C:\Documents and Settings\Shane Farr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shane Farr\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shane Farr\ntuser.dat.LOG Object is locked skipped
C:\MSDOS.SYS Object is locked skipped
C:\Program Files\Common Files\iexplore.pif Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\Program Files\Internet Explorer\iexplore.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\1.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\Debug\DebugProgram.exe Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ExERoute.exe Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\explorer.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\finder.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\command.pif Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dxdiag.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\finder.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\MSCONFIG.COM Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\regedit.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\rundll32.com Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\update1.exe Infected: Trojan-PSW.Win32.Delf.nx skipped
C:\WINDOWS\system32\update3.exe Infected: Trojan-PSW.Win32.Lmir.bfa skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ztdll.dll Infected: Trojan-PSW.Win32.Delf.lx skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\WINLOGON.EXE Infected: Trojan-PSW.Win32.Lmir.bfa skipped
D:\pagefile.pif Infected: Trojan-PSW.Win32.Lmir.bfa skipped
Scan process completed.
|
Senior Member
|
18. November 2006 @ 18:13 |
Link to this message
|
Ah ha! :)
Note: print these instructions or copy to Notepad and save it, you will be in safe mode and can't access the internet.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).
Open Killbox.exe.
Check "Standard File Kill".
In the "Full Path of File to Delete" box, copy/paste each of the following lines below one at a time. Then, click the red button with a white X after you enter each file.
You will be prompted to confirm, click "Yes".
Note: KillBox may prompt "File does not seem to exist". If so, please write down the ones not found and continue with the next, but do not miss any.
C:\Program Files\Common Files\iexplore.pif
C:\Program Files\Internet Explorer\iexplore.com
C:\WINDOWS\1.com
C:\WINDOWS\Debug\DebugProgram.exe
C:\WINDOWS\ExERoute.exe
C:\WINDOWS\explorer.com
C:\WINDOWS\finder.com
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\dxdiag.com
C:\WINDOWS\system32\finder.com
C:\WINDOWS\system32\MSCONFIG.COM
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rundll32.com
C:\WINDOWS\system32\update1.exe
C:\WINDOWS\system32\update3.exe
C:\WINDOWS\system32\ztdll.dll
C:\WINDOWS\WINLOGON.EXE
D:\pagefile.pif
Then, fix these with HijackThis again:
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
Restart in normal mode and post back with a new HijackThis log along with the list of any files not found by Killbox(if any).
This message has been edited since posting. Last time this message was edited on 18. November 2006 @ 18:16
|
|
frnresq
Junior Member
|
19. November 2006 @ 06:04 |
Link to this message
|
I did exactly what you told me, copy'd the instructions and delete'd those lines, now i cant open anything at all. I'm on another computer atm. I cant open anything on my pc, HjT wont even open.
|
|
frnresq
Junior Member
|
19. November 2006 @ 09:49 |
Link to this message
|
ok, went back to this PC and rebooted and i can access stuff again...dont know what is up but here is the new HjT log.
Logfile of HijackThis v1.99.1
Scan saved at 2:47:38 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
D:\HJT\HijackThis_v1.99.1.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
|
|
frnresq
Junior Member
|
19. November 2006 @ 09:59 |
Link to this message
|
Went back and tried to fix those lines with HjT in safe mode and rebooted and did new scan and log, still there
newer log
Logfile of HijackThis v1.99.1
Scan saved at 2:57:34 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Webroot\Accelerate\accelerate.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HJT\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Accelerate] "C:\Program Files\Webroot\Accelerate\accelerate.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
|
Senior Member
|
19. November 2006 @ 10:24 |
Link to this message
|
Okay, now I'm getting mad. :)
This log will show us where all the registry entries are and we'll remove them manually. Might even remove some other things, if there are any.
Download ComboFix.exe to the desktop from here
Open ComboFix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick ComboFix's window while it's running, it may cause it to stall.
This message has been edited since posting. Last time this message was edited on 19. November 2006 @ 10:26
|
|
frnresq
Junior Member
|
19. November 2006 @ 11:38 |
Link to this message
|
Shane Farr - 06-11-19 16:36:49.81 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Shane Farr\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{B88E6606-095E-1033-1106-030312220001}
((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))
2006-11-17 13:14 225,280 --a------ C:\PlayerHost.dll
2006-11-14 14:22 3,970 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-14 14:08 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-14 14:08 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-14 14:08 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-14 14:08 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-14 14:08 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\WINLOGON.EXE
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\rundll32.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\MSCONFIG.COM
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\finder.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\dxdiag.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\command.pif
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\finder.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\explorer.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\ExERoute.exe
2006-11-13 16:34 37,679 --------- C:\WINDOWS\1.com
2006-11-07 17:20 0 --a------ C:\WINDOWS\system32\drivers\moduleusb.sys
2006-11-03 09:36 73,216 --a------ C:\WINDOWS\cadkasdeinst01e.exe
2006-11-03 09:23 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-10-23 19:32 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-23 19:31 6,912 --a------ C:\WINDOWS\system32\drivers\atibtxbr.sys
2006-10-23 19:31 58,240 --a------ C:\WINDOWS\system32\drivers\atibtcap.sys
2006-10-23 19:31 28,416 --a------ C:\WINDOWS\system32\drivers\ativxstw.sys
2006-10-23 19:31 17,664 --a------ C:\WINDOWS\system32\drivers\ativtutw.sys
2006-10-20 17:54 32,768 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2006-10-20 17:54 20,480 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2006-10-20 17:53 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2006-10-20 17:53 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2006-10-20 17:53 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2006-10-20 17:46 983,092 --a------ C:\WINDOWS\system32\lxccgf.dll
2006-10-20 17:46 94,208 --a------ C:\WINDOWS\system32\lxccinsr.dll
2006-10-20 17:46 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2006-10-20 17:46 86,016 --a------ C:\WINDOWS\system32\lxcccub.dll
2006-10-20 17:46 753,664 --a------ C:\WINDOWS\system32\lxcchbn3.dll
2006-10-20 17:46 667,648 --a------ C:\WINDOWS\system32\lxcccomc.dll
2006-10-20 17:46 65,536 -ra------ C:\WINDOWS\system32\lxcccfg.dll
2006-10-20 17:46 638,976 --a------ C:\WINDOWS\system32\lxccpmui.dll
2006-10-20 17:46 61,440 --a------ C:\WINDOWS\system32\lxcccu.dll
2006-10-20 17:46 487,424 --a------ C:\WINDOWS\system32\lxcclmpm.dll
2006-10-20 17:46 466,944 --a------ C:\WINDOWS\system32\lxcccoms.exe
2006-10-20 17:46 401,408 --a------ C:\WINDOWS\system32\lxcccomm.dll
2006-10-20 17:46 40,960 --a------ C:\WINDOWS\system32\lxccvs.dll
2006-10-20 17:46 380,928 --a------ C:\WINDOWS\system32\lxccutil.dll
2006-10-20 17:46 372,736 --a------ C:\WINDOWS\system32\lxcccfg.exe
2006-10-20 17:46 356,352 --a------ C:\WINDOWS\system32\lxccih.exe
2006-10-20 17:46 32,768 --a------ C:\WINDOWS\system32\lxcccur.dll
2006-10-20 17:46 172,032 --a------ C:\WINDOWS\system32\lxccinsb.dll
2006-10-20 17:46 143,360 --a------ C:\WINDOWS\system32\lxccprox.dll
2006-10-20 17:46 135,168 --a------ C:\WINDOWS\system32\lxccjswr.dll
2006-10-20 17:46 131,072 --a------ C:\WINDOWS\system32\lxccins.dll
2006-10-20 17:46 114,688 --a------ C:\WINDOWS\system32\lxccpplc.dll
2006-10-20 17:46 1,150,976 --a------ C:\WINDOWS\system32\lxccserv.dll
2006-10-20 17:46 1,134,592 --a------ C:\WINDOWS\system32\lxccusb1.dll
2006-10-20 17:44 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-10-20 15:18 41,472 --a------ C:\WINDOWS\system32\xydll.dll
2006-10-20 12:42 20,096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-19 16:37 -------- d-------- C:\Program Files\Common Files
2006-11-19 10:56 -------- d-------- C:\Program Files\Internet Explorer
2006-11-18 21:52 -------- d-------- C:\Program Files\Lx_cats
2006-11-17 05:27 -------- d---s---- C:\Documents and Settings\Shane Farr\Application Data\Microsoft
2006-11-16 21:40 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\AVG7
2006-11-15 20:40 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Adobe
2006-11-14 15:30 -------- d-------- C:\Program Files\Java
2006-11-14 15:30 -------- d-------- C:\Program Files\Common Files\Java
2006-11-14 14:12 -------- d-------- C:\Program Files\Common Files\System
2006-11-14 14:11 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-11-14 14:08 -------- d-------- C:\Program Files\Grisoft
2006-11-13 18:00 33 --a------ C:\WINDOWS\vbarun.dll
2006-11-13 16:56 -------- d-------- C:\Program Files\Common Files\update
2006-11-13 16:34 37679 -r-hs---- C:\Program Files\Common Files\iexplore.pif
2006-11-03 09:42 -------- d-------- C:\Program Files\CDDVD Cover Builder
2006-11-03 09:27 -------- d-------- C:\Program Files\DVDCoverPrint
2006-11-01 12:31 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Roxio
2006-10-29 20:32 -------- d-------- C:\Program Files\Lexmark Skins
2006-10-23 19:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-23 04:37 -------- d-------- C:\Program Files\WinRAR
2006-10-23 04:37 -------- d-------- C:\Program Files\ICOO Loader
2006-10-22 07:51 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-21 08:46 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\FaxCtr
2006-10-21 08:45 -------- d-------- C:\Program Files\Lexmark 3300 Series
2006-10-20 17:55 -------- d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2006-10-20 17:54 -------- d-------- C:\Program Files\Lexmark Fax Solutions
2006-10-15 09:14 -------- d-------- C:\Program Files\Acoustica CD Label Maker
2006-10-15 08:24 -------- d-------- C:\Program Files\Webroot
2006-10-15 08:24 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Webroot
2006-10-11 17:39 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-10 19:13 -------- d-------- C:\Program Files\RegistryFix
2006-10-10 18:06 -------- d-------- C:\Program Files\Messenger
2006-10-09 17:26 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Acoustica
2006-10-05 18:44 -------- d-------- C:\Program Files\DVDFab Decrypter 3
2006-10-05 18:43 -------- d-------- C:\Program Files\DVDFab Decrypter
2006-10-05 10:35 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\AdobeUM
2006-09-25 23:08 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\SearchToolbarCorp
2006-09-08 22:02 51271 --a------ C:\WINDOWS\system32\csuxt.exe
2006-09-07 20:32 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2006-09-02 08:55 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-09-02 07:07 626688 --a------ C:\WINDOWS\system32\dfxg11.dll
2006-09-01 21:07 0 -rahs---- C:\MSDOS.SYS
2006-09-01 21:07 0 -rahs---- C:\IO.SYS
2006-09-01 16:54 62 --ahs---- C:\Documents and Settings\Shane Farr\Application Data\desktop.ini
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe\""
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"Accelerate"="\"C:\\Program Files\\Webroot\\Accelerate\\accelerate.exe\" /S"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LXCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCCtime.dll,_RunDLLEntry@16"
"lxccmon.exe"="\"C:\\Program Files\\Lexmark 3300 Series\\lxccmon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E660B88E-B88E-6606-8E66-88E6088E6606}"=""
"{6E66606B-06B8-B806-8E66-8888E606B866}"=""
"{E660B88E-B88E-6606-8E66-88E606606}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"zz"="C:\\WINDOWS\\system32\\intenet.exe"
"zx"="C:\\WINDOWS\\system32\\intenet.exe"
"wow"="C:\\WINDOWS\\system32\\Launcher.exe"
"rx"="C:\\WINDOWS\\system32\\explore.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"KernelCheck"="C:\\WINDOWS\\system32\\winasse.exe"
"9"="C:\\WINDOWS\\system32\\vpcrm.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ HijackThis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061119-145437-219
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061119-145437-136
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-207
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-392
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-997
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-217
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061117-155047-630
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061117-155047-816
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061117-155047-421
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
backup-20061117-155047-641
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
backup-20061117-155047-724
O1 - Hosts: 61.152.90.31 zt.abcoll.com
backup-20061117-155047-453
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
Completion time: 06-11-19 16:37:28.59
C:\ComboFix.txt ... 06-11-19 16:37
|
Senior Member
|
19. November 2006 @ 12:41 |
Link to this message
|
Okay, you don't have AVGAS, you've got Ewido. AVGAS is Ewido, updated. I think AVGAS will find and remove a lot. If not, we'll remove what it can't manually.
Uninstall Ewido then go here to download the trial version of AVG Anti-spyware.
Install and open AVGAS.
Click "Update" then click "Start update".
After updating, close AVGAS.
Restart in safe mode.
Open AVGAS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Important!--> Click "Save Report" and save it to the desktop.
Restart in normal mode and run ComboFix again.
Post back with the AVGAS report and the new ComboFix log.
|
|
frnresq
Junior Member
|
20. November 2006 @ 00:46 |
Link to this message
|
General properties;""
Report name;"Complete Test"
Start time;"11/19/2006 10:10:05 PM"
End time;"11/19/2006 11:01:44 PM (total: 51:39.1 Min)"
Launch method;"Scanning launched manually"
Scanning result;"No threats found"
Report status;"Scanning completed successfully"
;""
Object summary;""
Scanned;"45637"
Threats Found;"0"
Cleaned;"0"
Moved to vault;"0"
Deleted;"0"
Errors;"1"
C:\WINDOWS\system32\mssync20.exe;"Reading error";"Error"
C:\WINDOWS\system32\drivers\etc\hosts;"Change";"Changed"
Shane Farr - 06-11-20 5:45:51.42 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Shane Farr\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\regedit.com
((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))
2006-11-18 21:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-11-18 21:48 <DIR> d-------- C:\!KillBox
2006-11-17 13:14 225,280 --a------ C:\PlayerHost.dll
2006-11-14 15:30 <DIR> d-------- C:\Program Files\Java
2006-11-14 15:30 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-14 15:29 <DIR> d--hs---- C:\Config.Msi
2006-11-14 14:22 3,970 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-14 14:12 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-14 14:08 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-14 14:08 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-14 14:08 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-14 14:08 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-14 14:08 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-14 14:08 <DIR> d-------- C:\Program Files\Grisoft
2006-11-14 14:08 <DIR> d-------- C:\Documents and Settings\Shane Farr\Application Data\AVG7
2006-11-14 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-14 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\WINLOGON.EXE
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\rundll32.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\MSCONFIG.COM
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\finder.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\dxdiag.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\system32\command.pif
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\finder.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\explorer.com
2006-11-13 16:34 37,679 -r-hs---- C:\WINDOWS\ExERoute.exe
2006-11-13 16:34 37,679 -r-hs---- C:\Program Files\Common Files\iexplore.pif
2006-11-13 16:34 37,679 --------- C:\WINDOWS\1.com
2006-11-07 17:20 0 --a------ C:\WINDOWS\system32\drivers\moduleusb.sys
2006-11-05 14:46 <DIR> d-------- C:\WINDOWS\Intel
2006-11-03 09:41 <DIR> d-------- C:\Program Files\CDDVD Cover Builder
2006-11-03 09:36 73,216 --a------ C:\WINDOWS\cadkasdeinst01e.exe
2006-11-03 09:23 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-11-03 09:23 <DIR> d-------- C:\Program Files\DVDCoverPrint
2006-10-29 20:32 <DIR> d-------- C:\WINDOWS\LxkSkins
2006-10-29 20:32 <DIR> d-------- C:\Program Files\Lexmark Skins
2006-10-23 19:32 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-23 19:31 6,912 --a------ C:\WINDOWS\system32\drivers\atibtxbr.sys
2006-10-23 19:31 58,240 --a------ C:\WINDOWS\system32\drivers\atibtcap.sys
2006-10-23 19:31 28,416 --a------ C:\WINDOWS\system32\drivers\ativxstw.sys
2006-10-23 19:31 17,664 --a------ C:\WINDOWS\system32\drivers\ativtutw.sys
2006-10-22 10:00 <DIR> d-------- C:\Program Files\ICOO Loader
2006-10-21 08:45 <DIR> d-------- C:\Documents and Settings\Shane Farr\Application Data\FaxCtr
2006-10-20 17:54 32,768 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2006-10-20 17:54 20,480 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2006-10-20 17:54 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2006-10-20 17:53 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2006-10-20 17:53 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2006-10-20 17:53 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2006-10-20 17:53 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2006-10-20 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2006-10-20 17:47 <DIR> d-------- C:\Program Files\Lx_cats
2006-10-20 17:46 983,092 --a------ C:\WINDOWS\system32\lxccgf.dll
2006-10-20 17:46 94,208 --a------ C:\WINDOWS\system32\lxccinsr.dll
2006-10-20 17:46 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2006-10-20 17:46 86,016 --a------ C:\WINDOWS\system32\lxcccub.dll
2006-10-20 17:46 753,664 --a------ C:\WINDOWS\system32\lxcchbn3.dll
2006-10-20 17:46 667,648 --a------ C:\WINDOWS\system32\lxcccomc.dll
2006-10-20 17:46 65,536 -ra------ C:\WINDOWS\system32\lxcccfg.dll
2006-10-20 17:46 638,976 --a------ C:\WINDOWS\system32\lxccpmui.dll
2006-10-20 17:46 61,440 --a------ C:\WINDOWS\system32\lxcccu.dll
2006-10-20 17:46 487,424 --a------ C:\WINDOWS\system32\lxcclmpm.dll
2006-10-20 17:46 466,944 --a------ C:\WINDOWS\system32\lxcccoms.exe
2006-10-20 17:46 401,408 --a------ C:\WINDOWS\system32\lxcccomm.dll
2006-10-20 17:46 40,960 --a------ C:\WINDOWS\system32\lxccvs.dll
2006-10-20 17:46 380,928 --a------ C:\WINDOWS\system32\lxccutil.dll
2006-10-20 17:46 372,736 --a------ C:\WINDOWS\system32\lxcccfg.exe
2006-10-20 17:46 356,352 --a------ C:\WINDOWS\system32\lxccih.exe
2006-10-20 17:46 32,768 --a------ C:\WINDOWS\system32\lxcccur.dll
2006-10-20 17:46 172,032 --a------ C:\WINDOWS\system32\lxccinsb.dll
2006-10-20 17:46 143,360 --a------ C:\WINDOWS\system32\lxccprox.dll
2006-10-20 17:46 135,168 --a------ C:\WINDOWS\system32\lxccjswr.dll
2006-10-20 17:46 131,072 --a------ C:\WINDOWS\system32\lxccins.dll
2006-10-20 17:46 114,688 --a------ C:\WINDOWS\system32\lxccpplc.dll
2006-10-20 17:46 1,150,976 --a------ C:\WINDOWS\system32\lxccserv.dll
2006-10-20 17:46 1,134,592 --a------ C:\WINDOWS\system32\lxccusb1.dll
2006-10-20 17:46 <DIR> d-------- C:\Temp
2006-10-20 17:46 <DIR> d-------- C:\Program Files\Lexmark 3300 Series
2006-10-20 17:44 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-10-20 15:18 41,472 --a------ C:\WINDOWS\system32\xydll.dll
2006-10-20 15:18 <DIR> d-------- C:\WINDOWS\Download
2006-10-20 12:42 20,096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-19 16:37 -------- d-------- C:\Program Files\Common Files
2006-11-19 10:56 -------- d-------- C:\Program Files\Internet Explorer
2006-11-17 05:27 -------- d---s---- C:\Documents and Settings\Shane Farr\Application Data\Microsoft
2006-11-15 20:40 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Adobe
2006-11-14 14:12 -------- d-------- C:\Program Files\Common Files\System
2006-11-14 14:11 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-11-13 18:00 33 --a------ C:\WINDOWS\vbarun.dll
2006-11-13 16:56 -------- d-------- C:\Program Files\Common Files\update
2006-11-01 12:31 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Roxio
2006-10-23 19:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-23 04:37 -------- d-------- C:\Program Files\WinRAR
2006-10-22 07:51 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-15 09:14 -------- d-------- C:\Program Files\Acoustica CD Label Maker
2006-10-15 08:24 -------- d-------- C:\Program Files\Webroot
2006-10-15 08:24 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Webroot
2006-10-11 17:39 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-10 19:13 -------- d-------- C:\Program Files\RegistryFix
2006-10-10 18:06 -------- d-------- C:\Program Files\Messenger
2006-10-09 17:26 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\Acoustica
2006-10-05 18:44 -------- d-------- C:\Program Files\DVDFab Decrypter 3
2006-10-05 18:43 -------- d-------- C:\Program Files\DVDFab Decrypter
2006-10-05 10:35 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\AdobeUM
2006-09-25 23:08 -------- d-------- C:\Documents and Settings\Shane Farr\Application Data\SearchToolbarCorp
2006-09-08 22:02 51271 --a------ C:\WINDOWS\system32\csuxt.exe
2006-09-07 20:32 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2006-09-02 08:55 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-09-02 07:07 626688 --a------ C:\WINDOWS\system32\dfxg11.dll
2006-09-01 21:07 0 -rahs---- C:\MSDOS.SYS
2006-09-01 21:07 0 -rahs---- C:\IO.SYS
2006-09-01 16:54 62 --ahs---- C:\Documents and Settings\Shane Farr\Application Data\desktop.ini
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe\""
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"Accelerate"="\"C:\\Program Files\\Webroot\\Accelerate\\accelerate.exe\" /S"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LXCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCCtime.dll,_RunDLLEntry@16"
"lxccmon.exe"="\"C:\\Program Files\\Lexmark 3300 Series\\lxccmon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{E660B88E-B88E-6606-8E66-88E6088E6606}"=""
"{6E66606B-06B8-B806-8E66-8888E606B866}"=""
"{E660B88E-B88E-6606-8E66-88E606606}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"zz"="C:\\WINDOWS\\system32\\intenet.exe"
"zx"="C:\\WINDOWS\\system32\\intenet.exe"
"wow"="C:\\WINDOWS\\system32\\Launcher.exe"
"rx"="C:\\WINDOWS\\system32\\explore.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"KernelCheck"="C:\\WINDOWS\\system32\\winasse.exe"
"9"="C:\\WINDOWS\\system32\\vpcrm.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ HijackThis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061119-145437-219
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061119-145437-136
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-207
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-392
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-997
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061118-215022-217
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061117-155047-630
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061117-155047-816
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
backup-20061117-155047-421
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
backup-20061117-155047-641
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
backup-20061117-155047-724
O1 - Hosts: 61.152.90.31 zt.abcoll.com
backup-20061117-155047-453
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
Completion time: 06-11-20 5:46:31.32
C:\ComboFix.txt ... 06-11-20 05:46
|
Senior Member
|
20. November 2006 @ 02:10 |
Link to this message
|
Still didn't download AVGAS, but never mind that now. We'll just remove them manually...*sigh*
We'll just run another online scan in its place.
Note: print these instructions or copy to Notepad and save them.
Restart in safe mode.
Open KillBox and delete these as you did the others. Do not miss any.
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\system32\rundll32.com
C:\WINDOWS\system32\MSCONFIG.COM
C:\WINDOWS\system32\finder.com
C:\WINDOWS\system32\dxdiag.com
C:\WINDOWS\system32\command.pif
C:\WINDOWS\finder.com
C:\WINDOWS\explorer.com
C:\WINDOWS\ExERoute.exe
C:\Program Files\Common Files\iexplore.pif
C:\WINDOWS\1.com
C:\WINDOWS\cadkasdeinst01e.exe
C:\WINDOWS\system32\xydll.dll
C:\WINDOWS\vbarun.dll
C:\WINDOWS\system32\intenet.exe
C:\WINDOWS\system32\Launcher.exe
C:\WINDOWS\system32\explore.exe
C:\WINDOWS\system32\winasse.exe
C:\WINDOWS\system32\vpcrm.exe
Exit KillBox.
Delete these folder: (it's consider spyware by Lexmark and really isn't needed)
C:\Program Files\Lx_cats
Look for these folders and delete them if they are empty. If they contain files, please tell me what the files are.
C:\WINDOWS\Intel
C:\WINDOWS\Download
Restart in normal mode.
[edit] I just found out there is another bad entry in your HjT log.
Run a scan only with HjT and fix this:
F2 - REG:system.ini: Shell=Explorer.exe 1
Close HijackThis. [/edit]
Then, copy the following bold text into Notepad(Not Wordpad!).
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Torjan Program"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Torjan Program"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"zz"=-
"zx"=-
"wow"-
"rx"-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"KernelCheck"=-
"9"=-
Make sure there are no blank lines before REGEDIT4.
Name the file Fix.reg
Change the "Save as Type" to All Files and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.
Restart your computer. <--Important!
Then, download Rootkit Revealer from here.
Create a new folder, named RKR, in C:\
Extract the files to the new folder.
Open RootkitRevealer.exe.
Close all other windows and click the "Scan".
Important: Leave the computer idle while the scan runs.
When the scan is finished, click File > Save... to save the text file to the C:\RKR\ folder.
Go here to run ActiveScan.
Click "Panda ActiveScan".
Fill in the form with your information.
After downloading, click My Computer to scan.
When it finishes, click "See Report".
Click "Save report" and save it to the desktop.
Run a scan with HijackThis and save the log.
Post back with the Rootkit Revealer log, the ActiveScan log, and the new HjT log.
This message has been edited since posting. Last time this message was edited on 20. November 2006 @ 02:23
|
|
frnresq
Junior Member
|
20. November 2006 @ 07:27 |
Link to this message
|
|
quick question before i do Killbox, will i be able open anything after i delete those lines? Last time i did it, i couldnt open anything at all. And as for the AVAG, i removed the other antivirus and dl'd the one you told me to.
|
Senior Member
|
20. November 2006 @ 08:56 |
Link to this message
|
Quote:
will i be able open anything after i delete those lines?
Yes. If not, reboot like you did last time.
Quote:
And as for the AVAG, i removed the other antivirus and dl'd the one you told me to.
I didn't see it in your ComboFix log and the report you posted is not from AVGAS. :)
|
|
frnresq
Junior Member
|
21. November 2006 @ 10:06 |
Link to this message
|
|
sorry it took so long to get back, but what i feared happened, i can not access anything at all and i get errors when rebooting and desktop pops up. "Windows cannot access the ......". So i have no idea what to do, ive tried rebooting quite a few times and still the same thing, i cannot open anything on the desktop ...says missing "exe" file. Im on my other PC atm....stumped. lol
|
|
frnresq
Junior Member
|
21. November 2006 @ 12:07 |
Link to this message
|
|
Im totally at a loss, i cant open anything at all, am i gonna have to dump my drive?....ohh hell i hope not, im soo tired of doing that.
|
|
Advertisement
|
|
|
Senior Member
|
21. November 2006 @ 14:49 |
Link to this message
|
Wow, this thing has your computer by the jewels!
We can try something to get those files back. I was lurking on another forum the other day and a poster couldn't open exe files because of malware. The helper gave him a reg file to fix the problem. Although, 4 days later, the poster ended up reformatting because the problem came back. I'm not saying it would work for you, but it's your choice if you would like to try it. I will send the reg file your way if so.
Other than that, I would say reformat anyway. You've got more than one backdoor and complicated ones I must say. Backdoors are serious, yours in specific include(d) a variant of WoW and a variant of LegMir.
LegMir is more serious than WoW and allows others to access your computer, but both are password stealers.
Read here for more info about the WoW trojan.
Read here for more info about LegMir.
Personally, if that were my computer I'd just start over. Many experts believe after a computer is infected with a backdoor the computer can not be trusted again unless you reformat the HD.
You say you're tired of reformatting so I assume you've done it before. Was the reformat necessary because of malware the last time/s?
Let me know if you would like to try the reg file or reformat and I'll help where I can.
|
|
