RegSearch Options File

[Search]
winik

[Exclude]

[Options]
Filter=KVDLU

12/19/2006, 3:25:05 - Starting Process
12/19/2006, 3:25:14 - Found the WinKRootKit Service. Attempting to remove...
12/19/2006, 3:25:14 - Located the following:
12/19/2006, 3:25:14 - Protected Executable: C:\Program Files\wxrwpwvr\bogFIoBM.exe
12/19/2006, 3:25:14 - Protected Profile Data: C:\Program Files\wxrwpwvr\profile.dat
12/19/2006, 3:25:15 - Protected Kernel Rootkit Driver: C:\WINDOWS\System32\Drivers\WinIK.sys
12/19/2006, 3:25:15 - Attempting to kill bogFIoBM.exe and it's decendants.
12/19/2006, 3:25:16 - Unable to kill process bogFIoBM.exe:
12/19/2006, 3:25:16 - Process does not exist.
12/19/2006, 3:25:16 - Removing Rootkit Protection.
12/19/2006, 3:25:16 - Deleting Protected File Data.
12/19/2006, 3:25:16 - Removing Registry settings in HKLM\SOFTWARE\wxrwpwvr
12/19/2006, 3:25:16 - Removing Registry settings in HKCU\SOFTWARE\wxrwpwvr
12/19/2006, 3:25:16 - Setting up final cleaning instruction on next reboot.
12/19/2006, 3:25:16 - Phase 1 of 2 complete. Restarting...

12/19/2006, 3:28:52 - We're back from restart. Starting Phase 2 of 2.
12/19/2006, 3:28:52 - Deleting WinKRootKit Service
12/19/2006, 3:28:52 - Deleting WinKRootKit Registry Settings
12/19/2006, 3:28:52 - Deleting WinKRootKit Kernel Driver.
12/19/2006, 3:28:52 - Phase 2 of 2 complete. We're all done here. Restarting...

12/19/2006, 3:37:07 - Starting Process
12/19/2006, 3:37:07 - Could not detect the service installed. Nothing else to do!

12/19/2006, 3:43:38 - Starting Process
12/19/2006, 3:43:38 - Could not detect the service installed. Nothing else to do!

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 12/19/2006 3:44:23 AM for strings:
; 'winik'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

[HKEY_USERS\S-1-5-21-1801674531-1897051121-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Temp\\WinKRootKitRemover.exe"="This program will look for WinKRootKit (winik.sys) and attempt to remove it."

; End Of The Log...

Logfile of HijackThis v1.99.1
Scan saved at 3:45:51 AM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\software\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\software\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\software\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {478B680F-9A35-0BB0-8470-645509F47836} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [bQVGXg1w] C:\PROGRA~1\wxrwpwvr\bogFIoBM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\software\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cwFHYsUw] C:\PROGRA~1\wxrwpwvr\bogFIoBM.exe
O4 - HKLM\..\Run: [QYFGRcUx] C:\PROGRA~1\wxrwpwvr\bogFIoBM.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P46 "Auto EPSON Stylus Photo R300 Series on DESKTOP" /O18 "\\DESKTOP\EPSONSty" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\DESKTOP\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P40 "\\DESKTOP\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RemoteControl] C:\software\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\software\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [kav] "C:\software\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add all items to the auction list - res://C:\software\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\software\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\software\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\software\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\software\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://www.gmpartsdirect.com
O16 - DPF: {0AB5CBCF-6984-4122-BCF7-BE33BF5B1CF1} - http://www.topmoxie.com/external/builds/up...se/upro1050.cab
O16 - DPF: {4E7BD74F-2B8D-469E-C1F2-F063A09BB32A} - http://www.orlandoticketsandhotels.net/Win...ls/wintools.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\software\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe