Winlogon.exe issues

Computing.Net > Forums > Security and Virus > Winlogon.exe issues

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Winlogon.exe issues

Name: fyonnaskye
Date: April 6, 2007 at 10:46:12 Pacific
OS: XP
CPU/Ram: Processor: Pentium 4 Ram:
Product: ABS Computer Technologies

Comment:

Hello, I would really appreciate any help that you all might be able to offer. I've been working on this winlogon issue for 2 weeks and I'm about to pull my hair out.
For some reason I thought it would be a smart idea to download software from LimeWire. HA!! Turns out I downloaded more trojans than I can count. I thought Norton had found it all, but I wanted to double check by running SpyBot, AdAware, Solo, PC Tools, Spyware Terminator, and Spy Sweeper. All of those programs found different items to get rid of but I'm still having a problem.
My system slows dramatically on occasion (Usually when PC Tools finds something it can't clean). When I check processes, it shows winlogon at about 26-28.
I don't know if this is related but PC Tools always finds a problem with WINDOWS\system32\awtqp.dll. It can never quarantine it and when I try to find it myself, it's not there (I showed hidden files).
I would be happy to provide my Hijack This log.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: April 6, 2007 at 11:10:34 Pacific

Reply:

Go to start> control panel> add/remove programs and uninstall this program if found:
Limewire
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Post the log located at C:Vundofix.txt.
Post your Hijack This log.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 2

Name: fyonnaskye
Date: April 6, 2007 at 13:31:01 Pacific

Reply:

First, thank you so much for your very quick response. I really appreciate your help more than you know.
Here are the VundoFix and Hijack This logs you requested. I'm going to run Combo Fix right now. I'll post it as soon as it's done.
---------
VundoFix V6.3.19
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 2:16:32 PM 4/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\fccyxvt.dll
C:\WINDOWS\system32\hggdeee.dll
C:\WINDOWS\system32\ijkmp.tmp
C:\WINDOWS\system32\khffggh.dll
C:\WINDOWS\system32\ljjifdb.dll
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\rqrronn.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awtqp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyxvt.dll
C:\WINDOWS\system32\fccyxvt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hggdeee.dll
C:\WINDOWS\system32\hggdeee.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijkmp.tmp
C:\WINDOWS\system32\ijkmp.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\khffggh.dll
C:\WINDOWS\system32\khffggh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjifdb.dll
C:\WINDOWS\system32\ljjifdb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\pmkji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\pqtwa.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrronn.dll
C:\WINDOWS\system32\rqrronn.dll Has been deleted!
Performing Repairs to the registry.
Done!
-----------
Logfile of HijackThis v1.99.1
Scan saved at 04:27, on 07-04-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\MsgSys.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Kimberly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {198239A7-257C-495A-B363-7AF2239EFD4F} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {70A5CF26-C5AB-4B4F-81BE-380CA621AABB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Internet Research Scout - {75A0D830-27F2-416B-82F7-CB67D0F0611B} - C:\PROGRA~1\INTERN~2\nnotes.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dale Locks Trust Wipe] "C:\Documents and Settings\All Users\Application Data\soap multi dale locks\PlanHtm.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoloSchedule] C:\SRNMIC~1\SOLOCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Internet Research Scout - C:\Program Files\Internet Research Scout\nnotes.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Research Scout - {AFEFA0A9-F33C-425C-9C00-553FF5C97E01} - C:\PROGRA~1\INTERN~2\nnotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pr...
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) - http://toolbar.google.com/data/Goog...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v1...
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.playfirst.com/play/game/...
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/delta...
O20 - Winlogon Notify: cbxwwtt - cbxwwtt.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks again!

Response Number 3

Name: fyonnaskye
Date: April 6, 2007 at 13:45:33 Pacific

Reply:

ComboFix log:
[code]
04-08-29 16:07 723 --a--c--- C:\Qoobox\Quarantine\Program Files\INSTALL.LOG.vir
07-03-25 20:02 251 --a------ C:\Qoobox\Quarantine\INSTALL.LOG.vir
07-04-06 04:38 1176 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_MCHINJDRV.reg.cf
07-04-06 04:38 958 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf

Folder PATH listing
Volume serial number is 1CA2-ED95
C:\QOOBOX
\---Quarantine
| INSTALL.LOG.vir
|
+---Program Files
| INSTALL.LOG.vir
|
\---Registry_backups
LEGACY_MCHINJDRV.reg.cf
LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf

[/code]

Response Number 4

Name: jabuck
Date: April 6, 2007 at 13:58:02 Pacific

Reply:

Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish.
Run Hijack This from normal mode, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {198239A7-257C-495A-B363-7AF2239EFD4F} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {70A5CF26-C5AB-4B4F-81BE-380CA621AABB} - (no file)
O20 - Winlogon Notify: cbxwwtt - cbxwwtt.dll (file missing)
Exit Hijack This.
Post the combofix log requested in response #1 and a new Hijack This log please.

Response Number 5

Name: fyonnaskye
Date: April 6, 2007 at 14:20:42 Pacific

Reply:

Oops, sorry! I gave you the wrong ComboFix log before. I've included the correct one this time. I followed your instructions for NoLop and Hijack This. The HJ log is included here as well.

-------
"Kimberly" - 07-04-06 4:31:57 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Kimberly\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\install.log
C:\install.log

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_MCHINJDRV
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS

((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))

2007-04-06 14:16 <DIR> d-------- C:\VundoFix Backups
2007-04-06 12:53 46 --a------ C:\AUTOEXEC.BAT
2007-04-06 12:53 <DIR> d-------- C:\SRN Micro
2007-04-06 11:09 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-04-06 11:09 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-04-06 11:09 15,360 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-04-06 11:09 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-04-06 11:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-04-04 12:20 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-04-04 10:48 135,936 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-04-04 10:43 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-04-04 10:43 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Spyware Terminator
2007-04-04 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-04-04 10:35 <DIR> d-------- C:\Program Files\Abexo
2007-04-04 10:31 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-04-04 10:18 164 --a------ C:\install.dat
2007-04-01 23:50 <DIR> d-------- C:\Program Files\RectAceCash
2007-04-01 23:50 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\RectAceCash
2007-04-01 23:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\soap multi dale locks
2007-04-01 23:48 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\.wyzo
2007-03-29 17:38 <DIR> d-------- C:\Program Files\Prison Tycoon
2007-03-29 00:39 <DIR> d-------- C:\DOCUME~1\Kimberly\.artofillusion
2007-03-28 23:44 <DIR> d-------- C:\Program Files\ArtOfIllusion
2007-03-28 16:49 <DIR> d-------- C:\Program Files\EwisoftWeb
2007-03-28 16:34 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Nvu
2007-03-26 22:59 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-03-26 18:09 <DIR> d-------- C:\Program Files\PHP
2007-03-26 17:55 <DIR> d-------- C:\zenCart
2007-03-23 17:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-03-23 17:58 <DIR> d-------- C:\Program Files\Media Player Classic
2007-03-23 17:57 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-03-22 21:40 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-22 17:04 <DIR> d-------- C:\712f0979ed143b37b9d7
2007-03-22 15:38 <DIR> d-------- C:\Program Files\Blender Foundation
2007-03-22 15:08 <DIR> d-------- C:\Program Files\Serif
2007-03-21 21:55 <DIR> d-------- C:\Program Files\Internet Research Scout
2007-03-21 21:00 <DIR> d-------- C:\Program Files\Microsoft Small Business
2007-03-21 20:54 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-03-21 20:49 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-03-19 11:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TERMINAL Studio
2007-03-14 13:43 <DIR> d-------- C:\Program Files\BitTorrent
2007-03-14 12:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-03-14 11:38 <DIR> d-------- C:\Program Files\Brain Booster
2007-03-13 13:47 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Jamdat
2007-03-13 13:04 <DIR> d-------- C:\Program Files\Mind Machine
2007-03-13 12:48 <DIR> d-------- C:\Program Files\Runic
2007-03-13 10:32 <DIR> d-------- C:\Program Files\Fizzball
2007-03-13 10:02 <DIR> d-------- C:\Program Files\Cinema Tycoon Gold
2007-03-13 09:36 <DIR> d-------- C:\Program Files\BFG
2007-03-09 13:51 <DIR> d-------- C:\DOCUME~1\Kimberly\Shared
2007-03-09 13:51 <DIR> d-------- C:\DOCUME~1\Kimberly\Incomplete
2007-03-09 13:34 <DIR> d-------- C:\DOCUME~1\Kimberly\.limewire
2007-03-09 11:05 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-03-09 11:04 <DIR> d-------- C:\Program Files\Dragons 7
2007-03-08 13:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Enkord
2007-03-08 11:26 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\WinRAR
2007-03-06 21:59 <DIR> d--h----- C:\DOCUME~1\Kimberly\APPLIC~1\Move Networks

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-06 04:21 288 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000002-00000000-0000000b-00001102-00000002-80661102}.dat
2007-04-06 04:21 288 --a------ C:\WINDOWS\system32\dvcstate-{00000002-00000000-0000000b-00001102-00000002-80661102}.dat
2007-04-04 12:24 -------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\pc tools
2007-04-02 19:53 -------- d--h----- C:\Program Files\installshield installation information
2007-03-28 23:41 -------- d-------- C:\Program Files\java
2007-03-28 22:19 -------- d-------- C:\Program Files\ubi soft
2007-03-28 22:17 -------- d-------- C:\Program Files\microids
2007-03-28 22:16 -------- d-------- C:\Program Files\syberia
2007-03-28 22:12 -------- d-------- C:\Program Files\google
2007-03-23 17:57 -------- d-------- C:\Program Files\quicktime
2007-03-23 09:58 44904 --a--c--- C:\DOCUME~1\Kimberly\APPLIC~1\gdipfontcachev1.dat
2007-03-14 15:23 -------- d-------- C:\Program Files\Common Files\sysgedata
2007-03-14 14:43 -------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\bittorrent
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --------- C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --------- C:\WINDOWS\system32\win32k.sys
2007-03-05 12:23 -------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\ctxm
2007-03-04 19:46 -------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\playfirst
2007-03-04 15:34 36 --a------ C:\WINDOWS\popcinfo.dat
2007-03-04 12:51 -------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\gaijin ent
2007-03-01 18:03 -------- d-------- C:\Program Files\wildtangent
2007-03-01 09:16 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-02-10 05:29 67952 --a------ C:\WINDOWS\system32\sqlctr90.dll
2007-02-10 05:29 2234224 --a------ C:\WINDOWS\system32\sqlncli.dll
2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"NvMediaCenter"="\"RunDLL32.exe\" NvMCTray.dll,NvTaskbarInit"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"vptray"="\"C:\\Program Files\\NavNT\\vptray.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Dale Locks Trust Wipe"="\"C:\\Documents and Settings\\All Users\\Application Data\\soap multi dale locks\\PlanHtm.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"SoloSchedule"="C:\\SRNMIC~1\\SOLOCFG.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.exe "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.exe -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kimberly^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Kimberly\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Kimberly\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCTAV"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe\" /MONITORSCAN"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareTerminatorShield"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{70A5CF26-C5AB-4B4F-81BE-380CA621AABB}"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://cognitivedistortion.com/img/...
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwwtt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
Shell\AutoRun\command J:\SafeGuard\Windows\SafeGuard20.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{079acfa4-e7ed-11d8-ab7d-806d6172696f}]
Shell\AutoRun\command E:\Launch.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{76b6c050-62e6-11db-b045-00e06fa0d6c7}]
Shell\AutoRun\command J:\SafeGuard\Windows\SafeGuard20.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AF326ED69339E86A.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-06 4:41:56
C:\ComboFix-quarantined-files.txt ... 07-04-06 04:41

------------
Logfile of HijackThis v1.99.1
Scan saved at 5:16:10 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\MsgSys.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Kimberly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Internet Research Scout - {75A0D830-27F2-416B-82F7-CB67D0F0611B} - C:\PROGRA~1\INTERN~2\nnotes.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dale Locks Trust Wipe] "C:\Documents and Settings\All Users\Application Data\soap multi dale locks\PlanHtm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Internet Research Scout - C:\Program Files\Internet Research Scout\nnotes.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Research Scout - {AFEFA0A9-F33C-425C-9C00-553FF5C97E01} - C:\PROGRA~1\INTERN~2\nnotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pr...
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) - http://toolbar.google.com/data/Goog...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v1...
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.playfirst.com/play/game/...
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/delta...
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-----------
Thanks

rdp console rdp console event id 1074 winlogon.exe	winlogon.exe hangs winlogon.exe +DOWNLOAD winlogon.exe exploit
See More

Response Number 6

Name: jabuck
Date: April 6, 2007 at 14:44:57 Pacific

Reply:

Once you you have completed the task in response #4 do the following.
Go to start> control panel> add/remove programs> and un install these programs:
SpywareTerminator ( It is on the rogue list)
LimeWire (unless you have the newest version it has spyware in it).
Next set msconfig to normal mode.
You java is out of date and should be updted as soon as possible. Download the latest version of http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.
Post a new Hijack This log.

Response Number 7

Name: fyonnaskye
Date: April 6, 2007 at 15:35:26 Pacific

Reply:

Limewire was uninstalled per your instructions in Response Number 1.
Uninstalled Syware Terminator.
MSCONFIG is back to normal mode.
All old Java has been removed
New Java installed
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:30:36 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\MsgSys.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kimberly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Internet Research Scout - {75A0D830-27F2-416B-82F7-CB67D0F0611B} - C:\PROGRA~1\INTERN~2\nnotes.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dale Locks Trust Wipe] "C:\Documents and Settings\All Users\Application Data\soap multi dale locks\PlanHtm.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Internet Research Scout - C:\Program Files\Internet Research Scout\nnotes.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Research Scout - {AFEFA0A9-F33C-425C-9C00-553FF5C97E01} - C:\PROGRA~1\INTERN~2\nnotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pr...
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) - http://toolbar.google.com/data/Goog...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v1...
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.playfirst.com/play/game/...
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/delta...
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Response Number 8

Name: sysop
Date: April 6, 2007 at 18:49:19 Pacific

Reply:

run spybot in safemode as this disables the drivers of the infection it will then repair any changes to the registry .. running in normal mode keeps the infection in the memory. also u will be able to delete any files that were running as a process in safeboot, otherwise in normal mode it wont let u delete any file thats running as a program ( process )( obviously b careful what u delete ) make sure u have the correct file(s)

Response Number 9

Name: jabuck
Date: April 6, 2007 at 19:36:48 Pacific

Reply:

I'm not sure that LOP.com was deleted.
Run Hijack This and remove this item:
O4 - HKLM\..\Run: [Dale Locks Trust Wipe] "C:\Documents and Settings\All Users\Application Data\soap multi dale locks\PlanHtm.exe"
Restart the computer then post a new Hijack This log and a new Combofix log please.

Response Number 10

Name: fyonnaskye
Date: April 7, 2007 at 08:57:51 Pacific

Reply:

I ran Spybot in safemode but all it found was a cookie and a keylogger that I installed to keep and eye on my step-daughters.
Anyway, the NoLop log says that it was removed. I followed your instructions to remove that item with Hijack This. Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:51 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kimberly\My Documents\Unzipped\hijackthis[1]\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Internet Research Scout - {75A0D830-27F2-416B-82F7-CB67D0F0611B} - C:\PROGRA~1\INTERN~2\nnotes.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Internet Research Scout - C:\Program Files\Internet Research Scout\nnotes.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Research Scout - {AFEFA0A9-F33C-425C-9C00-553FF5C97E01} - C:\PROGRA~1\INTERN~2\nnotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pr...
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) - http://toolbar.google.com/data/Goog...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v1...
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.playfirst.com/play/game/...
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/delta...
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I also have one more unrelated question. I have 5 instances of svchost.exe running. What the heck is that?

Response Number 11

Name: jabuck
Date: April 7, 2007 at 13:05:47 Pacific

Reply:

The svchost"s are normal, your Hijack This log is clean. How is the computer operating?

Response Number 12

Name: fyonnaskye
Date: April 7, 2007 at 17:04:17 Pacific

Reply:

My computer is running perfectly. You are a life saver. It's good to know that there are people out there willing to help complete strangers. You may have just restored my faith in humanity.
Thanks again!

Response Number 13

Name: jabuck
Date: April 7, 2007 at 17:09:11 Pacific

Reply:

Thank You, glad we could help.

Response Number 14

Name: doppleganger
Date: May 3, 2007 at 11:20:32 Pacific

Reply:

jabuck,
I also have an Application Error on winlogon.exe which, if not ignored, gives me a nasty blue screen and shutdown.
I could use some help identifying what the problem is.
Here is a hijack output from just now:
Logfile of HijackThis v1.99.1
Scan saved at 13:13, on 07-05-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\BCM VPN\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Exodus\Exodus.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\hardcopy\hardcopy.exe
C:\Program Files\Franklin Covey\Planner\Palm\hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O1 - Hosts: 128.249.38.157 ezsys # EASY ARCHIVE SYSTEM
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Exodus] "C:\Program Files\Exodus\Exodus.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Baylor College of Medicine VPN Client v4.8.01.0300.lnk = C:\Program Files\BCM VPN\vpngui.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Hardcopy.LNK = C:\hardcopy\hardcopy.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://pmweb.bcm.edu
O16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - http://bcmaltns02.ad.bcm.edu/Altiri...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://bcmaltns02.ad.bcm.edu/Altiri...
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://adportal.bcm.tmc.edu/tsweb/m...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.bcm.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.bcm.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEBC62DA-9CA6-417A-B413-08E39C2EB1F3}: NameServer = 128.249.38.101,128.249.38.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.bcm.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.bcm.edu
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~1.1\RNetPin.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\BCM VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
I scanned for Fungo and found none, I ran ComboFix and got this output:
"wmohr" - 07-05-03 13:05:03 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\wmohr\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\fad.sys

((((((((((((((((((((((((((((((( Files Created from 2007-04-03 to 2007-05-03 ))))))))))))))))))))))))))))))))))

2007-05-03 12:55 <DIR> d-------- C:\VundoFix Backups
2007-05-03 09:01 <DIR> d-------- C:\!KillBox
2007-04-25 08:39 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-25 08:39 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-25 08:39 <DIR> d-------- C:\Program Files\Symantec
2007-04-25 08:39 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-25 08:31 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-25 00:14 <DIR> d-------- C:\DOCUME~1\wmohr\APPLIC~1\HotLavaGames
2007-04-11 13:56 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-04-11 13:55 <DIR> d-------- C:\DOCUME~1\wmohr\APPLIC~1\U3
2007-04-09 09:28 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-09 09:27 <DIR> d-------- C:\Program Files\Real
2007-04-09 09:27 <DIR> d-------- C:\Program Files\Common Files\Real
2007-04-09 09:26 <DIR> d-------- C:\DOCUME~1\wmohr\APPLIC~1\Real
2007-04-09 09:25 <DIR> d-------- C:\My Downloads
2007-04-04 22:49 <DIR> d-------- C:\Program Files\iTunes

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-03 11:25 -------- d-------- C:\Program Files\hp
2007-05-03 11:25 -------- d-------- C:\Program Files\hewlett-packard
2007-05-03 11:00 2401 --a------ C:\WINDOWS\system32\drivers\AlKernel.sys
2007-05-03 11:00 -------- d-------- C:\Program Files\symantec antivirus
2007-05-03 10:54 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-05-03 08:36 -------- d--h----- C:\Program Files\installshield installation information
2007-05-03 08:35 -------- d-------- C:\Program Files\ipod
2007-04-29 21:55 41 --a------ C:\AClient.dat
2007-03-21 23:29 -------- d-------- C:\Program Files\quicktime
2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 22:11 -------- d-------- C:\Program Files\windows media connect 2
2007-03-11 01:34 -------- d-------- C:\Program Files\partygaming
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 10:19 376832 --a------ C:\WINDOWS\riclient.exe
2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 15:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{CA6319C0-31B7-401E-A518-A07C3DB8F777} c:\Program Files\BAE\BAE.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"AeXAgentLogon"="C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe /logon"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"AClntUsr"="C:\\Program Files\\Altiris\\AClient\\AClntUsr.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"pdfFactory Dispatcher v3"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis3a.exe\" /source=HKLM"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Exodus"="\"C:\\Program Files\\Exodus\\Exodus.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f22e72d-02f1-11db-9b89-806d6172696f}]
Shell\AutoRun\command D:\install.exe id= ver=1.0.0.0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-03 13:07:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************
Completion time: 07-05-03 13:07:57
C:\ComboFix-quarantined-files.txt ... 07-05-03 13:07
Any ideas?
bill

Sponsored Link

Ads by Google

URGENT HELP NEEDED.. adwa...

New Malware.j

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Winlogon.exe issues

Application error with winlogon.exe

Summary

www.computing.net/answers/security/application-error-with-winlogonexe/27185.html

Is this vundo? winlogon.exe issue

Summary

www.computing.net/answers/security/is-this-vundo-winlogonexe-issue/27964.html

Desperate Need help - winlogon.exe

Summary

www.computing.net/answers/security/desperate-need-help-winlogonexe/20204.html

From the Geek Dictionary
laserdisc - First home video format to store audio and video on an optical disc. Unlike...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Google Won't Load!

facebook is not working

Blue Screen Reading

How to record phone calls to PC?

deleted a program folder

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE