-
Virtumonde, CmdService, SmitFraud-C.CoreService
Wow, my girlfriend's computer is plagued with issues! Originally it was just SmitFraud-C.CoreService, but as I scanned the computer with Spybot, some new problems arose that I also could not delete (Virtumonde, CmdService). I would appreciate any help on this issue, as my previous attempts to fix this problem myself have gone awry.
I tried running the online virus scan, but it always seems to crash my computer. Here is the log for HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 7:53:11 PM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.60/trafc-2/rfe.php...7389&lid=&url=
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe"
O4 - HKLM\..\Run: [{EC-CC-CD-D5-ZN}] C:\windows\system32\njdsrego.exe CHD003
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinkodt.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\okexrphu.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VFQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Once again, I appreciate you guys taking the time out to help with these issues!
-
Visiting Fellow
Hi,
I see you are running in Windows Safe mode. Next steps should be performed in Windows Normal mode, because some tools do not properly work in Windows safe mode.
First of all, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
- Viewpoint
- Viewpoint Manager
- Viewpoint Media Player
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
-
ComboFix 07-06-18.2 - C:\Documents and Settings\TT\Desktop\ComboFix.exe
"TT" - 2007-06-19 15:56:30 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\aqgdcxhw.dll
C:\WINDOWS\system32\ejnkflcf.dll
C:\WINDOWS\system32\jpvivwtf.dll
C:\WINDOWS\system32\ohdtuvih.dll
C:\WINDOWS\system32\okexrphu.dll
C:\WINDOWS\system32\osnvvpld.dll
C:\WINDOWS\system32\pmfjphis.dll
C:\WINDOWS\system32\tworacah.dll
C:\WINDOWS\system32\vppackhp.dll
C:\WINDOWS\system32\gebxvuv.dll
C:\WINDOWS\system32\whxcdgqa.ini
C:\WINDOWS\system32\hivutdho.ini
C:\WINDOWS\system32\uhprxeko.ini
C:\WINDOWS\system32\dlpvvnso.ini
C:\WINDOWS\system32\sihpjfmp.ini
C:\WINDOWS\system32\psvut.bak1
C:\WINDOWS\system32\psvut.bak2
C:\WINDOWS\system32\psvut.ini
C:\WINDOWS\system32\psvut.bak1
C:\WINDOWS\system32\psvut.bak2
C:\WINDOWS\system32\psvut.ini
C:\WINDOWS\system32\tuvsp.dll
C:\WINDOWS\system32\khffday.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\TT\APPLIC~1.\icroso~1.net
C:\DOCUME~1\TT\MYDOCU~1.\smbols~1
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\inetget2
C:\Program Files\mcroso~1
C:\Program Files\NetMeeting\viqicapog.dll
C:\Program Files\NetMeeting\viqicapog827.dll
C:\Program Files\NetMeeting\zyzoqyjafs.html
C:\Program Files\ppatch~1
C:\Program Files\smbols~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\SET13.tmp
C:\Program Files\webhancer\Programs\SET15.tmp
C:\Program Files\webhancer\Programs\SET17.tmp
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Program Files\ymante~1
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\17O7
C:\Temp\17O7\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\smpi1\lb66.exe
C:\WINDOWS\system32\smpi1\lib67.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\amwr.exe
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))
2007-06-19 15:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 15:39 933 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-19 15:39 105,434 --a------ C:\WINDOWS\qwr67.exe
2007-06-18 14:30 2,580 --a------ C:\WINDOWS\system32\bdvpspuf.exe
2007-06-18 14:29 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-06-18 14:15 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-18 14:15 <DIR> d-------- C:\Program Files\svhost
2007-06-18 14:14 <DIR> d-------- C:\WINDOWS\system32\o09PrEz
2007-06-18 14:14 <DIR> d-------- C:\Temp\iee
2007-06-18 14:03 36,352 --a------ C:\WINDOWS\poolsv.exe
2007-06-16 11:51 <DIR> d-------- C:\Program Files\Bodog Poker
2007-06-15 17:21 <DIR> d-------- C:\WINDOWS\uzfk
2007-06-15 17:21 <DIR> d-------- C:\Program Files\Common Files\uzfk
2007-06-13 16:16 <DIR> d-------- C:\Program Files\WinPop
2007-06-11 10:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-10 20:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Google
2007-06-10 18:02 <DIR> d--hs---- C:\WINDOWS\VFQ
2007-06-10 17:55 2,580 --a------ C:\WINDOWS\system32\qrjaiyhk.exe
2007-06-10 17:40 172,544 --a------ C:\WINDOWS\system32\wpkorwy.dll
2007-06-10 17:40 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 17:40 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-10 17:40 <DIR> d-------- C:\Temp\x2b
2007-05-29 10:49 192,599 --a------ C:\WINDOWS\system32\mwinkodt.exe
2007-05-22 22:30 <DIR> d-------- C:\hijackthis
2007-05-20 22:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-20 22:06 184,393 --a------ C:\WINDOWS\system32\mwinkodu.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-19 21:20:40 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-19 20:48:59 -------- d-----w C:\Program Files\Plaxo
2007-06-18 19:14:39 -------- d-----w C:\Program Files\poolsv
2007-06-13 18:12:05 -------- d-----w C:\Program Files\Trillian
2007-05-26 00:03:22 3,172 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-17 22:54:23 82,439 ----a-w C:\WINDOWS\system32\msorcl32.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 00:20:07 -------- d-----w C:\DOCUME~1\TT\APPLIC~1\Lavasoft
2007-05-15 00:18:32 -------- d-----w C:\Program Files\Lavasoft
2007-05-15 00:17:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-07 04:55:38 -------- d--h--w C:\DOCUME~1\TT\APPLIC~1\Move Networks
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 00:59:35 16,065,000 --s-a-w C:\WINDOWS\system32\FotkiUploadThumbDB.dat
2007-04-20 00:59:30 86,400,000 --s-a-w C:\WINDOWS\system32\FotkiThumbDB.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\VFQ\pIk.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3756C32F-A958-49CE-BD47-6DBCE4D65347}=C:\WINDOWS\system32\khfec.dll []
{472A86D6-A706-46AC-AF71-0398DC95A9D5}=C:\WINDOWS\system32\acvtijxv.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{B1E477E8-3088-4D36-A9B8-60A60BC75506}=C:\WINDOWS\system32\acvtijxv.dll []
{C869ECB7-0915-4AF3-AF74-BFB15EBD970F}=\ [2007-06-19 16:20]
{D4773079-1F56-448D-9219-DCBB8D654270}=C:\WINDOWS\system32\vtutq.dll []
{E7FC5AA7-B1D8-41C8-B05E-4E9072E5E3E8}=C:\Program Files\ComPlus Applications\ryfyjon.dll [2007-04-06 14:27]
{ebb92ebf-e4f6-4570-bf2b-33e0bc206306}=C:\WINDOWS\system32\wpkorwy.dll [2007-06-10 17:40]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 13:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-28 14:59]
"DC6_Check"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe" []
"ERS_Check"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe" []
"mav_startupmon"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 21:41]
"Abvi"="C:\Documents and Settings\TT\Application Data\?icrosoft.NET\?canregw.exe" []
"WinPop"="C:\Program Files\WinPop\winpop.exe" []
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\NetMeeting\zyzoqyjafs.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaaab]
efcaaab.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbyw]
iifcbyw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
-
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 16:21:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????????h????????? ?deB???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-19 16:23:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 16:22
--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\aqgdcxhw.dll
C:\WINDOWS\system32\ejnkflcf.dll
C:\WINDOWS\system32\jpvivwtf.dll
C:\WINDOWS\system32\ohdtuvih.dll
C:\WINDOWS\system32\okexrphu.dll
C:\WINDOWS\system32\osnvvpld.dll
C:\WINDOWS\system32\pmfjphis.dll
C:\WINDOWS\system32\tworacah.dll
C:\WINDOWS\system32\vppackhp.dll
C:\WINDOWS\system32\gebxvuv.dll
C:\WINDOWS\system32\whxcdgqa.ini
C:\WINDOWS\system32\hivutdho.ini
C:\WINDOWS\system32\uhprxeko.ini
C:\WINDOWS\system32\dlpvvnso.ini
C:\WINDOWS\system32\sihpjfmp.ini
C:\WINDOWS\system32\psvut.bak1
C:\WINDOWS\system32\psvut.bak2
C:\WINDOWS\system32\psvut.ini
C:\WINDOWS\system32\psvut.bak1
C:\WINDOWS\system32\psvut.bak2
C:\WINDOWS\system32\psvut.ini
C:\WINDOWS\system32\tuvsp.dll
C:\WINDOWS\system32\khffday.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\TT\APPLIC~1.\icroso~1.net
C:\DOCUME~1\TT\MYDOCU~1.\smbols~1
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\inetget2
C:\Program Files\mcroso~1
C:\Program Files\NetMeeting\viqicapog.dll
C:\Program Files\NetMeeting\viqicapog827.dll
C:\Program Files\NetMeeting\zyzoqyjafs.html
C:\Program Files\ppatch~1
C:\Program Files\smbols~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\SET13.tmp
C:\Program Files\webhancer\Programs\SET15.tmp
C:\Program Files\webhancer\Programs\SET17.tmp
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Program Files\ymante~1
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\17O7
C:\Temp\17O7\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\smpi1\lb66.exe
C:\WINDOWS\system32\smpi1\lib67.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\amwr.exe
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-19 21:21:34 -------- d-----w C:\Program Files\Plaxo
2007-06-19 21:20:42 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-18 19:14:39 -------- d-----w C:\Program Files\poolsv
2007-06-13 18:12:05 -------- d-----w C:\Program Files\Trillian
2007-05-26 00:03:22 3,172 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-17 22:54:23 82,439 ----a-w C:\WINDOWS\system32\msorcl32.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 00:20:07 -------- d-----w C:\DOCUME~1\TT\APPLIC~1\Lavasoft
2007-05-15 00:18:32 -------- d-----w C:\Program Files\Lavasoft
2007-05-15 00:17:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-07 04:55:38 -------- d--h--w C:\DOCUME~1\TT\APPLIC~1\Move Networks
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 00:59:35 16,065,000 --s-a-w C:\WINDOWS\system32\FotkiUploadThumbDB.dat
2007-04-20 00:59:30 86,400,000 --s-a-w C:\WINDOWS\system32\FotkiThumbDB.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\VFQ\pIk.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3756C32F-A958-49CE-BD47-6DBCE4D65347}=C:\WINDOWS\system32\khfec.dll []
{472A86D6-A706-46AC-AF71-0398DC95A9D5}=C:\WINDOWS\system32\acvtijxv.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{B1E477E8-3088-4D36-A9B8-60A60BC75506}=C:\WINDOWS\system32\acvtijxv.dll []
{C869ECB7-0915-4AF3-AF74-BFB15EBD970F}=\ [2007-06-19 16:22]
{D4773079-1F56-448D-9219-DCBB8D654270}=C:\WINDOWS\system32\vtutq.dll []
{E7FC5AA7-B1D8-41C8-B05E-4E9072E5E3E8}=C:\Program Files\ComPlus Applications\ryfyjon.dll [2007-04-06 14:27]
{ebb92ebf-e4f6-4570-bf2b-33e0bc206306}=C:\WINDOWS\system32\wpkorwy.dll [2007-06-10 17:40]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 13:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-28 14:59]
"DC6_Check"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe" []
"ERS_Check"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe" []
"mav_startupmon"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 21:41]
"Abvi"="C:\Documents and Settings\TT\Application Data\?icrosoft.NET\?canregw.exe" []
"WinPop"="C:\Program Files\WinPop\winpop.exe" []
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\NetMeeting\zyzoqyjafs.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaaab]
efcaaab.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbyw]
iifcbyw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 16:24:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????????h????????? ?deB???????????????B? ??????
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-19 16:25:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 16:25
--- E O F ---
-
The previous 2 posts were the ComboFix logs cut in half because it could not fit in one post.
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 16:28, on 2007-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
O2 - BHO: (no name) - {3756C32F-A958-49CE-BD47-6DBCE4D65347} - C:\WINDOWS\system32\khfec.dll (file missing)
O2 - BHO: (no name) - {472A86D6-A706-46AC-AF71-0398DC95A9D5} - C:\WINDOWS\system32\acvtijxv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B1E477E8-3088-4D36-A9B8-60A60BC75506} - C:\WINDOWS\system32\acvtijxv.dll (file missing)
O2 - BHO: (no name) - {C869ECB7-0915-4AF3-AF74-BFB15EBD970F} - \
O2 - BHO: (no name) - {D4773079-1F56-448D-9219-DCBB8D654270} - C:\WINDOWS\system32\vtutq.dll (file missing)
O2 - BHO: (no name) - {E7FC5AA7-B1D8-41C8-B05E-4E9072E5E3E8} - C:\Program Files\ComPlus Applications\ryfyjon.dll
O2 - BHO: (no name) - {ebb92ebf-e4f6-4570-bf2b-33e0bc206306} - C:\WINDOWS\system32\wpkorwy.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe"
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Abvi] "C:\Documents and Settings\TT\Application Data\?icrosoft.NET\?canregw.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: efcaaab - efcaaab.dll (file missing)
O20 - Winlogon Notify: iifcbyw - iifcbyw.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
You were right about the Viewpoint program. I deleted the media player and another related program from the list.
-
I just realized the ComboFix log contained the same thing twice. It might be because I ran this file called "ComboFix.txt.bat" thinking it was the log, and the log creator popped up again.
-
Visiting Fellow
-
Sorry for the confusion! The .bat file appeared where the log file was supposed to be. I thought they were the same thing, but it turns out it executed a process that wrote another log file.
Here's the new log:
ComboFix 07-06-18.2 - C:\Documents and Settings\TT\Desktop\ComboFix.exe
"TT" - 2007-06-19 19:30:43 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\TT\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\ComPlus Applications\ryfyjon.dll
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\WinPop
C:\Program Files\WinPop\UnInstall.exe
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\system32\wpkorwy.dll
C:\WINDOWS\VFQ
C:\WINDOWS\VFQ\pIk.vbs
((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))
2007-06-19 15:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 15:39 933 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-19 15:39 105,434 --a------ C:\WINDOWS\qwr67.exe
2007-06-18 14:30 2,580 --a------ C:\WINDOWS\system32\bdvpspuf.exe
2007-06-18 14:29 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-06-18 14:15 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-18 14:15 <DIR> d-------- C:\Program Files\svhost
2007-06-18 14:14 <DIR> d-------- C:\WINDOWS\system32\o09PrEz
2007-06-18 14:14 <DIR> d-------- C:\Temp\iee
2007-06-18 14:03 36,352 --a------ C:\WINDOWS\poolsv.exe
2007-06-16 11:51 <DIR> d-------- C:\Program Files\Bodog Poker
2007-06-15 17:21 <DIR> d-------- C:\WINDOWS\uzfk
2007-06-15 17:21 <DIR> d-------- C:\Program Files\Common Files\uzfk
2007-06-11 10:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-10 20:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Google
2007-06-10 17:55 2,580 --a------ C:\WINDOWS\system32\qrjaiyhk.exe
2007-06-10 17:40 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-10 17:40 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-10 17:40 <DIR> d-------- C:\Temp\x2b
2007-05-29 10:49 192,599 --a------ C:\WINDOWS\system32\mwinkodt.exe
2007-05-22 22:30 <DIR> d-------- C:\hijackthis
2007-05-20 22:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-20 22:06 184,393 --a------ C:\WINDOWS\system32\mwinkodu.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-19 21:21:34 -------- d-----w C:\Program Files\Plaxo
2007-06-19 21:20:42 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-13 18:12:05 -------- d-----w C:\Program Files\Trillian
2007-05-26 00:03:22 3,172 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 00:20:07 -------- d-----w C:\DOCUME~1\TT\APPLIC~1\Lavasoft
2007-05-15 00:18:32 -------- d-----w C:\Program Files\Lavasoft
2007-05-15 00:17:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-07 04:55:38 -------- d--h--w C:\DOCUME~1\TT\APPLIC~1\Move Networks
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 00:59:35 16,065,000 --s-a-w C:\WINDOWS\system32\FotkiUploadThumbDB.dat
2007-04-20 00:59:30 86,400,000 --s-a-w C:\WINDOWS\system32\FotkiThumbDB.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 13:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-28 14:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 21:41]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 19:34:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????????h????????? ?deB???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-19 19:35:20
C:\ComboFix-quarantined-files.txt ... 2007-06-19 19:34
C:\ComboFix2.txt ... 2007-06-19 16:25
--- E O F ---
-
And here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 19:37, on 2007-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
As I am typing this, I have noticed there have been no popups and this laptop has been running considerably smoother than it has been throughout the ordeal.
-
Visiting Fellow
Hi,
We're not finished yet. In my previous removal instructions, I was looking at the last log from Combofix you posted, instead of the first one, and I see some more files and folders need to get removed..
So, open the ComboFix-Do.txt and edit out its contents.
Then copy and paste next contents in it:
File::
C:\WINDOWS\system32\mwinkodu.exe
C:\WINDOWS\system32\qrjaiyhk.exe
C:\WINDOWS\system32\mwinkodt.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\qwr67.exe
C:\WINDOWS\system32\bdvpspuf.exe
Folder::
C:\WINDOWS\system32\win
C:\Program Files\svhost
C:\WINDOWS\system32\o09PrEz
C:\Temp\iee
C:\WINDOWS\uzfk
C:\Program Files\Common Files\uzfk
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T1QaSQ
C:\Temp\x2b
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you did before.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
