Below I copied and pasted my log of hijack this. My computer seems very slow and I am being re routed on my browsers (both IE and Opera) and my PC will not connected for OS updates, it re routes me.
I am running Server 2000.
Please help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:10, on 11/8/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINNT\loadqm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\lxcicoms.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\GoogleToolbar_en_1.1.58-deleon.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-1202660629-1770027372-725345543-1001\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O20 - AppInit_DLLs: yfkdjl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
O23 - Service: lxci_device - - C:\WINNT\System32\lxcicoms.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
--
End of file - 7120 bytes
Full Version: Spyware
Hello mjones,
Welcome to Gladiator Security Forum
This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Thanks,
tea
Welcome to Gladiator Security Forum
This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Thanks,
tea
Thanks for the help. This is the log for the combofix:
ComboFix 08-11-09.01 - administrator 2008-11-09 14:01:46.1 - NTFSx86
Microsoft Windows 2000 Advanced Server 5.0.2195.2.1252.1.1033.18.353 [GMT -8:00]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\bjabaegy.exe
c:\winnt\system32\caavnnvn.ini
c:\winnt\system32\Cache
c:\winnt\system32\ciwcilfc.dll
c:\winnt\system32\dMlTEfii.ini
c:\winnt\system32\dMlTEfii.ini2
c:\winnt\system32\drivers\TDSSserv.sys
c:\winnt\system32\dwrzbz.dll
c:\winnt\system32\eenueaxp.dll
c:\winnt\system32\gjgrwqou.dll
c:\winnt\system32\hrcvfuwf.exe
c:\winnt\system32\mcrh.tmp
c:\winnt\system32\mdm.exe
c:\winnt\system32\nfhpvvql.dll
c:\winnt\system32\tdssadw.dll
c:\winnt\system32\TDSSerrors.log
c:\winnt\system32\tdssinit.dll
c:\winnt\system32\tdssl.dll
c:\winnt\system32\tdsslog.dll
c:\winnt\system32\tdssmain.dll
c:\winnt\system32\tdssserf.dll
c:\winnt\system32\tdssservers.dat
c:\winnt\system32\tmvlcbpm.exe
c:\winnt\system32\uoqwrgjg.ini
c:\winnt\system32\vbudmpwp.dll
c:\winnt\system32\wvUoOEWN.dll
c:\winnt\system32\ycgqdfru.ini
c:\winnt\system32\ypvprlet.dll
c:\winnt\system32\yxnentqi.ini
c:\winnt\Web\default.htt
C:\x
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV
-------\Legacy_TDSSSERV
-------\Service_kdc
-------\Service_TrkSvr
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.
2008-11-09 14:00 . 08-11-09 14:00 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_350.dat
2008-11-08 12:23 . 08-11-08 12:31 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-08 11:43 . 08-11-08 11:43 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 10:25 . 08-11-08 12:32 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-08 10:16 . 08-11-08 10:37 641,714 ---h----- c:\winnt\ShellIconCache
2008-11-08 10:14 . 08-11-08 10:14 <DIR> d-------- c:\program files\CCleaner
2008-10-26 15:02 . 08-10-26 15:02 <DIR> d-------- c:\program files\Driver-Soft
2008-10-25 19:00 . 08-10-25 19:00 <DIR> d-------- C:\windows
2008-10-25 18:36 . 07-09-02 20:56 1,686,016 --a------ c:\winnt\system32\clinetsuitex6.ocx
2008-10-25 18:36 . 04-06-14 14:56 427,864 --a------ c:\winnt\system32\XceedZip.dll
2008-10-19 19:41 . 08-10-19 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-19 19:40 . 08-11-08 10:12 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-19 19:40 . 08-11-08 10:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-19 13:55 . 08-10-19 13:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GlarySoft
2008-10-19 13:54 . 08-10-19 13:54 <DIR> d-------- c:\program files\Glary Registry Repair
2008-10-18 15:56 . 08-10-18 15:56 163,840 --a------ c:\winnt\system32\qmoxcgso.exe
2008-10-18 13:10 . 08-10-19 07:12 2,712 --a------ c:\winnt\system32\tmp.reg
2008-10-18 12:56 . 07-09-05 23:22 289,144 --a------ c:\winnt\system32\VCCLSID.exe
2008-10-18 12:56 . 06-04-27 16:49 288,417 --a------ c:\winnt\system32\SrchSTS.exe
2008-10-18 12:56 . 08-09-08 22:38 88,576 --a------ c:\winnt\system32\AntiXPVSTFix.exe
2008-10-18 12:56 . 08-10-01 14:51 87,552 --a------ c:\winnt\system32\VACFix.exe
2008-10-18 12:56 . 08-10-10 07:58 82,944 --a------ c:\winnt\system32\o4Patch.exe
2008-10-18 12:56 . 08-10-10 07:58 82,944 --a------ c:\winnt\system32\IEDFix.C.exe
2008-10-18 12:56 . 08-08-18 11:19 82,432 --a------ c:\winnt\system32\404Fix.exe
2008-10-18 12:56 . 03-06-05 20:13 53,248 --a------ c:\winnt\system32\Process.exe
2008-10-18 12:56 . 04-07-31 17:50 51,200 --a------ c:\winnt\system32\dumphive.exe
2008-10-18 12:56 . 07-10-03 23:36 25,600 --a------ c:\winnt\system32\WS2Fix.exe
2008-10-18 11:08 . 08-10-18 13:59 <DIR> d-------- c:\program files\Crawler
2008-10-18 10:15 . 07-06-02 16:52 515 --a------ c:\winnt\win.tmp
2008-10-18 10:15 . 02-04-01 04:52 231 --a------ c:\winnt\system.tmp
2008-10-16 17:59 . 08-10-16 17:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\5
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:24 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-07 15:26 --------- d-----w c:\program files\Lx_cats
2008-10-26 21:10 --------- d-----w c:\program files\Opera
2008-10-18 16:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-06 04:27 --------- d-----w c:\program files\AVS4YOU
2008-10-06 04:19 --------- d-----w c:\program files\Common Files\AVSMedia
2008-10-06 04:19 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-10-06 04:19 --------- d-----w c:\documents and settings\Administrator\Application Data\AVS4YOU
2008-10-06 02:49 --------- d-----w c:\program files\Total Video Converter
2008-10-06 01:17 --------- d-----w c:\program files\7-Zip
2008-10-05 14:43 --------- d-----w c:\program files\LGUsbDriver
2008-08-18 22:39 348,160 ----a-w c:\winnt\MSVCR71.DLL
2008-08-18 22:39 1,060,864 ----a-w c:\winnt\MFC71.DLL
2008-08-18 22:38 40,960 ----a-w c:\winnt\SimTestDll.dll
2008-08-08 11:06 16,808 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-05-15 23:42 16,808 ----a-w c:\documents and settings\syeo\Application Data\GDIPFONTCACHEV1.DAT
2002-04-01 21:43 271 ---h--w c:\program files\desktop.ini
2002-04-01 21:43 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\syeo\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\rmitchell\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\ray\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\NetShowServices\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\mjones\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\jchaney\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Default User\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Administrator\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Administrator.WHATLOWGROUP\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Administrator.HUSKY\nspmcvt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [01-06-26 03:23 401493]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [07-09-04 15:40 6856704]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 8192 c:\winnt\system32\CTFMON.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CriticalUpdate"="c:\winnt\System32\wucrtupd.exe" [01-01-12 16:27 53328]
"PnPDef"="c:\program files\Lexmark\NetPnP\LexPnPDef.exe" [02-02-21 11:10 10752]
"vptray"="c:\program files\NavNT\vptray.exe" [01-09-24 06:59 73728]
"LXCICATS"="c:\winnt\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [06-02-24 13:05 73728]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [05-09-30 08:47 200704]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [05-08-01 06:05 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 03:27 144784]
"AtiPTA"="atiptaxx.exe" [01-09-27 01:39 245760 c:\winnt\system32\atiptaxx.exe]
"C-Media Mixer"="Mixer.exe" [02-03-25 14:02 1228800 c:\winnt\mixer.exe]
"LoadQM"="loadqm.exe" [00-05-03 16:23 7536 c:\winnt\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 04:00 186640]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-05-08 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Service Manager.lnk - c:\mssql7\Binn\sqlmangr.exe [2002-05-06 110592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yfkdjl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CEGSM"= mobilev.acm
"msvideo"= o100vc.dll - Osprey Capture Card 1
"msacm.divxa32"= msaud32_divx.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ FPNWCLNT RASSFM KDCSVC scecli
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
R0 DfsDriver;DfsDriver;c:\winnt\System32\drivers\Dfs.sys [01-05-04 11:05 74384]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\winnt\System32\DRIVERS\CINEMSUP.SYS [00-03-24 13:53 6144]
R2 LexPnPAgent;Lexmark Network Plug and Print;c:\program files\Lexmark\NetPnP\LexPnPAgent.exe [02-02-21 11:10 46592]
R2 nsmonitor;Windows Media Monitor Service;c:\winnt\System32\WINDOW~1\Server\nspmon.exe [99-11-09 12:43 29728]
R2 nsprogram;Windows Media Program Service;c:\winnt\System32\WINDOW~1\Server\nspm.exe [99-11-09 12:46 9632]
R2 nsstation;Windows Media Station Service;c:\winnt\System32\WINDOW~1\Server\nscm.exe [99-11-09 12:46 220816]
R2 nsunicast;Windows Media Unicast Service;c:\winnt\System32\WINDOW~1\Server\nsum.exe [01-05-04 11:05 441312]
R3 ati2mtaa;ati2mtaa;c:\winnt\System32\DRIVERS\ati2mtaa.sys [01-09-27 00:28 291121]
R3 lxci_device;lxci_device;c:\winnt\System32\lxcicoms.exe [05-10-24 04:33 491520]
R3 spud;Special Purpose Utility Driver;c:\winnt\System32\drivers\spud.sys [99-12-07 04:00 12336]
S2 o100drv;Osprey Video Capture Device;c:\winnt\System32\DRIVERS\o100drv.sys [01-05-04 09:17 120600]
S2 O2CA;Osprey Audio Capture Device;c:\winnt\System32\DRIVERS\o2ca.sys [01-05-17 13:33 32448]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\System32\DRIVERS\el90xbc5.sys [01-08-22 09:54 69555]
S3 NSLService;On-line Presentation Broadcast;c:\winnt\System32\Windows Media\NSLite\nslservice.exe [99-11-09 12:43 83312]
S3 NtFrs;File Replication;c:\winnt\system32\ntfrs.exe [01-05-04 11:05 689424]
S3 TDASYNC;TDASYNC;c:\winnt\System32\drivers\TDASYNC.sys [99-12-07 04:00 12600]
S3 TDIPX;TDIPX;c:\winnt\System32\drivers\TDIPX.sys [01-10-30 04:57 20064]
S3 TDNETB;TDNETB;c:\winnt\System32\drivers\TDNETB.sys [01-10-30 04:57 17632]
S3 TDSPX;TDSPX;c:\winnt\System32\drivers\TDSPX.sys [99-12-07 04:00 17400]
S4 IsmServ;Intersite Messaging;c:\winnt\System32\ismserv.exe [01-05-04 11:05 27920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Ntmssvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = c:\windows\system32\blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Local Page = c:\windows\system32\blank.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
O18 -: Name-Space Handler: ftp\SmartDownload - {D3B7D8E1-92DB-11d2-8551-0060083CFB9C} - c:\winnt\system32\sdph20.dll
O18 -: Name-Space Handler: http\SmartDownload - {D3B7D8E1-92DB-11d2-8551-0060083CFB9C} - c:\winnt\system32\sdph20.dll
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 14:10:35
Windows 5.0.2195 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\winnt\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\winnt\system32\winlogon.exe
-> c:\winnt\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [168]
??\c:\winnt\system32\csrss.exe [192]
??\c:\winnt\system32\winlogon.exe [212]
c:\winnt\system32\services.exe [240]
c:\winnt\system32\lsass.exe [252]
c:\winnt\system32\svchost.exe [420]
c:\winnt\system32\LEXBCES.EXE [452]
c:\winnt\system32\spoolsv.exe [480]
c:\winnt\system32\LEXPPS.EXE [488]
c:\program files\NavNT\defwatch.exe [620]
c:\winnt\System32\svchost.exe [636]
c:\program files\Lexmark\NetPnP\LexPnPAgent.exe [656]
c:\winnt\System32\llssrv.exe [704]
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [736]
c:\program files\NavNT\rtvscan.exe [768]
c:\winnt\System32\WINDOW~1\Server\nspmon.exe [820]
c:\winnt\System32\WINDOW~1\Server\nscm.exe [848]
c:\winnt\system32\regsvc.exe [916]
c:\winnt\system32\stisvc.exe [940]
c:\winnt\System32\svchost.exe [972]
c:\winnt\System32\WBEM\WinMgmt.exe [1004]
c:\winnt\System32\mspmspsv.exe [1024]
c:\winnt\System32\inetsrv\inetinfo.exe [1036]
c:\winnt\System32\WINDOW~1\Server\nspm.exe [1072]
c:\winnt\System32\WINDOW~1\Server\nsum.exe [1168]
c:\winnt\system32\Dfssvc.exe [1376]
c:\winnt\system32\CF21845.exe [1740]
c:\winnt\System32\atiptaxx.exe [1756]
c:\winnt\Mixer.exe [1852]
c:\program files\Lexmark\NetPnP\LexPnPDef.exe [1284]
c:\program files\NavNT\vptray.exe [1908]
c:\program files\Lexmark 7300 Series\lxcimon.exe [1688]
c:\program files\Lexmark 7300 Series\ezprint.exe [1604]
c:\winnt\loadqm.exe [1920]
c:\program files\Java\jre1.6.0_07\bin\jusched.exe [1888]
c:\winnt\System32\ctfmon.exe [1940]
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE [1952]
c:\program files\MSN Messenger\MsnMsgr.Exe [1692]
c:\mssql7\Binn\sqlmangr.exe [1972]
c:\winnt\System32\lxcicoms.exe [1956]
c:\winnt\explorer.exe [1556]
c:\combofix\catchme.cfexe [1864]
.
**************************************************************************
.
Completion time: 2008-11-09 14:14:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-09 22:14:46
Pre-Run: 27,582,050,304 bytes free
Post-Run: 27,758,112,768 bytes free
288
Here is the log for hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:16:43, on 11/9/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINNT\loadqm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\lxcicoms.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\GoogleToolbar_en_1.1.58-deleon.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-1202660629-1770027372-725345543-1001\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O20 - AppInit_DLLs: yfkdjl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
O23 - Service: lxci_device - - C:\WINNT\System32\lxcicoms.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
--
End of file - 7241 bytes
Thanks, again for all your help.
mjones
ComboFix 08-11-09.01 - administrator 2008-11-09 14:01:46.1 - NTFSx86
Microsoft Windows 2000 Advanced Server 5.0.2195.2.1252.1.1033.18.353 [GMT -8:00]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\system32\bjabaegy.exe
c:\winnt\system32\caavnnvn.ini
c:\winnt\system32\Cache
c:\winnt\system32\ciwcilfc.dll
c:\winnt\system32\dMlTEfii.ini
c:\winnt\system32\dMlTEfii.ini2
c:\winnt\system32\drivers\TDSSserv.sys
c:\winnt\system32\dwrzbz.dll
c:\winnt\system32\eenueaxp.dll
c:\winnt\system32\gjgrwqou.dll
c:\winnt\system32\hrcvfuwf.exe
c:\winnt\system32\mcrh.tmp
c:\winnt\system32\mdm.exe
c:\winnt\system32\nfhpvvql.dll
c:\winnt\system32\tdssadw.dll
c:\winnt\system32\TDSSerrors.log
c:\winnt\system32\tdssinit.dll
c:\winnt\system32\tdssl.dll
c:\winnt\system32\tdsslog.dll
c:\winnt\system32\tdssmain.dll
c:\winnt\system32\tdssserf.dll
c:\winnt\system32\tdssservers.dat
c:\winnt\system32\tmvlcbpm.exe
c:\winnt\system32\uoqwrgjg.ini
c:\winnt\system32\vbudmpwp.dll
c:\winnt\system32\wvUoOEWN.dll
c:\winnt\system32\ycgqdfru.ini
c:\winnt\system32\ypvprlet.dll
c:\winnt\system32\yxnentqi.ini
c:\winnt\Web\default.htt
C:\x
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV
-------\Legacy_TDSSSERV
-------\Service_kdc
-------\Service_TrkSvr
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.
2008-11-09 14:00 . 08-11-09 14:00 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_350.dat
2008-11-08 12:23 . 08-11-08 12:31 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-08 11:43 . 08-11-08 11:43 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 10:25 . 08-11-08 12:32 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-08 10:16 . 08-11-08 10:37 641,714 ---h----- c:\winnt\ShellIconCache
2008-11-08 10:14 . 08-11-08 10:14 <DIR> d-------- c:\program files\CCleaner
2008-10-26 15:02 . 08-10-26 15:02 <DIR> d-------- c:\program files\Driver-Soft
2008-10-25 19:00 . 08-10-25 19:00 <DIR> d-------- C:\windows
2008-10-25 18:36 . 07-09-02 20:56 1,686,016 --a------ c:\winnt\system32\clinetsuitex6.ocx
2008-10-25 18:36 . 04-06-14 14:56 427,864 --a------ c:\winnt\system32\XceedZip.dll
2008-10-19 19:41 . 08-10-19 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-19 19:40 . 08-11-08 10:12 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-19 19:40 . 08-11-08 10:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-19 13:55 . 08-10-19 13:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GlarySoft
2008-10-19 13:54 . 08-10-19 13:54 <DIR> d-------- c:\program files\Glary Registry Repair
2008-10-18 15:56 . 08-10-18 15:56 163,840 --a------ c:\winnt\system32\qmoxcgso.exe
2008-10-18 13:10 . 08-10-19 07:12 2,712 --a------ c:\winnt\system32\tmp.reg
2008-10-18 12:56 . 07-09-05 23:22 289,144 --a------ c:\winnt\system32\VCCLSID.exe
2008-10-18 12:56 . 06-04-27 16:49 288,417 --a------ c:\winnt\system32\SrchSTS.exe
2008-10-18 12:56 . 08-09-08 22:38 88,576 --a------ c:\winnt\system32\AntiXPVSTFix.exe
2008-10-18 12:56 . 08-10-01 14:51 87,552 --a------ c:\winnt\system32\VACFix.exe
2008-10-18 12:56 . 08-10-10 07:58 82,944 --a------ c:\winnt\system32\o4Patch.exe
2008-10-18 12:56 . 08-10-10 07:58 82,944 --a------ c:\winnt\system32\IEDFix.C.exe
2008-10-18 12:56 . 08-08-18 11:19 82,432 --a------ c:\winnt\system32\404Fix.exe
2008-10-18 12:56 . 03-06-05 20:13 53,248 --a------ c:\winnt\system32\Process.exe
2008-10-18 12:56 . 04-07-31 17:50 51,200 --a------ c:\winnt\system32\dumphive.exe
2008-10-18 12:56 . 07-10-03 23:36 25,600 --a------ c:\winnt\system32\WS2Fix.exe
2008-10-18 11:08 . 08-10-18 13:59 <DIR> d-------- c:\program files\Crawler
2008-10-18 10:15 . 07-06-02 16:52 515 --a------ c:\winnt\win.tmp
2008-10-18 10:15 . 02-04-01 04:52 231 --a------ c:\winnt\system.tmp
2008-10-16 17:59 . 08-10-16 17:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\5
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:24 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-07 15:26 --------- d-----w c:\program files\Lx_cats
2008-10-26 21:10 --------- d-----w c:\program files\Opera
2008-10-18 16:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-06 04:27 --------- d-----w c:\program files\AVS4YOU
2008-10-06 04:19 --------- d-----w c:\program files\Common Files\AVSMedia
2008-10-06 04:19 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-10-06 04:19 --------- d-----w c:\documents and settings\Administrator\Application Data\AVS4YOU
2008-10-06 02:49 --------- d-----w c:\program files\Total Video Converter
2008-10-06 01:17 --------- d-----w c:\program files\7-Zip
2008-10-05 14:43 --------- d-----w c:\program files\LGUsbDriver
2008-08-18 22:39 348,160 ----a-w c:\winnt\MSVCR71.DLL
2008-08-18 22:39 1,060,864 ----a-w c:\winnt\MFC71.DLL
2008-08-18 22:38 40,960 ----a-w c:\winnt\SimTestDll.dll
2008-08-08 11:06 16,808 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-05-15 23:42 16,808 ----a-w c:\documents and settings\syeo\Application Data\GDIPFONTCACHEV1.DAT
2002-04-01 21:43 271 ---h--w c:\program files\desktop.ini
2002-04-01 21:43 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\syeo\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\rmitchell\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\ray\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\NetShowServices\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\mjones\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\jchaney\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Default User\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Administrator\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Administrator.WHATLOWGROUP\nspmcvt.exe
1999-11-09 20:43 15,376 ----a-w c:\documents and settings\Administrator.HUSKY\nspmcvt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [01-06-26 03:23 401493]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [07-09-04 15:40 6856704]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 8192 c:\winnt\system32\CTFMON.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CriticalUpdate"="c:\winnt\System32\wucrtupd.exe" [01-01-12 16:27 53328]
"PnPDef"="c:\program files\Lexmark\NetPnP\LexPnPDef.exe" [02-02-21 11:10 10752]
"vptray"="c:\program files\NavNT\vptray.exe" [01-09-24 06:59 73728]
"LXCICATS"="c:\winnt\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [06-02-24 13:05 73728]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [05-09-30 08:47 200704]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [05-08-01 06:05 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 03:27 144784]
"AtiPTA"="atiptaxx.exe" [01-09-27 01:39 245760 c:\winnt\system32\atiptaxx.exe]
"C-Media Mixer"="Mixer.exe" [02-03-25 14:02 1228800 c:\winnt\mixer.exe]
"LoadQM"="loadqm.exe" [00-05-03 16:23 7536 c:\winnt\loadqm.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 04:00 186640]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-05-08 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Service Manager.lnk - c:\mssql7\Binn\sqlmangr.exe [2002-05-06 110592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yfkdjl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CEGSM"= mobilev.acm
"msvideo"= o100vc.dll - Osprey Capture Card 1
"msacm.divxa32"= msaud32_divx.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ FPNWCLNT RASSFM KDCSVC scecli
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
R0 DfsDriver;DfsDriver;c:\winnt\System32\drivers\Dfs.sys [01-05-04 11:05 74384]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\winnt\System32\DRIVERS\CINEMSUP.SYS [00-03-24 13:53 6144]
R2 LexPnPAgent;Lexmark Network Plug and Print;c:\program files\Lexmark\NetPnP\LexPnPAgent.exe [02-02-21 11:10 46592]
R2 nsmonitor;Windows Media Monitor Service;c:\winnt\System32\WINDOW~1\Server\nspmon.exe [99-11-09 12:43 29728]
R2 nsprogram;Windows Media Program Service;c:\winnt\System32\WINDOW~1\Server\nspm.exe [99-11-09 12:46 9632]
R2 nsstation;Windows Media Station Service;c:\winnt\System32\WINDOW~1\Server\nscm.exe [99-11-09 12:46 220816]
R2 nsunicast;Windows Media Unicast Service;c:\winnt\System32\WINDOW~1\Server\nsum.exe [01-05-04 11:05 441312]
R3 ati2mtaa;ati2mtaa;c:\winnt\System32\DRIVERS\ati2mtaa.sys [01-09-27 00:28 291121]
R3 lxci_device;lxci_device;c:\winnt\System32\lxcicoms.exe [05-10-24 04:33 491520]
R3 spud;Special Purpose Utility Driver;c:\winnt\System32\drivers\spud.sys [99-12-07 04:00 12336]
S2 o100drv;Osprey Video Capture Device;c:\winnt\System32\DRIVERS\o100drv.sys [01-05-04 09:17 120600]
S2 O2CA;Osprey Audio Capture Device;c:\winnt\System32\DRIVERS\o2ca.sys [01-05-17 13:33 32448]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\System32\DRIVERS\el90xbc5.sys [01-08-22 09:54 69555]
S3 NSLService;On-line Presentation Broadcast;c:\winnt\System32\Windows Media\NSLite\nslservice.exe [99-11-09 12:43 83312]
S3 NtFrs;File Replication;c:\winnt\system32\ntfrs.exe [01-05-04 11:05 689424]
S3 TDASYNC;TDASYNC;c:\winnt\System32\drivers\TDASYNC.sys [99-12-07 04:00 12600]
S3 TDIPX;TDIPX;c:\winnt\System32\drivers\TDIPX.sys [01-10-30 04:57 20064]
S3 TDNETB;TDNETB;c:\winnt\System32\drivers\TDNETB.sys [01-10-30 04:57 17632]
S3 TDSPX;TDSPX;c:\winnt\System32\drivers\TDSPX.sys [99-12-07 04:00 17400]
S4 IsmServ;Intersite Messaging;c:\winnt\System32\ismserv.exe [01-05-04 11:05 27920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Ntmssvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = c:\windows\system32\blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Local Page = c:\windows\system32\blank.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
O18 -: Name-Space Handler: ftp\SmartDownload - {D3B7D8E1-92DB-11d2-8551-0060083CFB9C} - c:\winnt\system32\sdph20.dll
O18 -: Name-Space Handler: http\SmartDownload - {D3B7D8E1-92DB-11d2-8551-0060083CFB9C} - c:\winnt\system32\sdph20.dll
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\MI3AA1~1\CENetFlt.dll
O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 14:10:35
Windows 5.0.2195 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\winnt\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\winnt\system32\winlogon.exe
-> c:\winnt\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [168]
??\c:\winnt\system32\csrss.exe [192]
??\c:\winnt\system32\winlogon.exe [212]
c:\winnt\system32\services.exe [240]
c:\winnt\system32\lsass.exe [252]
c:\winnt\system32\svchost.exe [420]
c:\winnt\system32\LEXBCES.EXE [452]
c:\winnt\system32\spoolsv.exe [480]
c:\winnt\system32\LEXPPS.EXE [488]
c:\program files\NavNT\defwatch.exe [620]
c:\winnt\System32\svchost.exe [636]
c:\program files\Lexmark\NetPnP\LexPnPAgent.exe [656]
c:\winnt\System32\llssrv.exe [704]
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [736]
c:\program files\NavNT\rtvscan.exe [768]
c:\winnt\System32\WINDOW~1\Server\nspmon.exe [820]
c:\winnt\System32\WINDOW~1\Server\nscm.exe [848]
c:\winnt\system32\regsvc.exe [916]
c:\winnt\system32\stisvc.exe [940]
c:\winnt\System32\svchost.exe [972]
c:\winnt\System32\WBEM\WinMgmt.exe [1004]
c:\winnt\System32\mspmspsv.exe [1024]
c:\winnt\System32\inetsrv\inetinfo.exe [1036]
c:\winnt\System32\WINDOW~1\Server\nspm.exe [1072]
c:\winnt\System32\WINDOW~1\Server\nsum.exe [1168]
c:\winnt\system32\Dfssvc.exe [1376]
c:\winnt\system32\CF21845.exe [1740]
c:\winnt\System32\atiptaxx.exe [1756]
c:\winnt\Mixer.exe [1852]
c:\program files\Lexmark\NetPnP\LexPnPDef.exe [1284]
c:\program files\NavNT\vptray.exe [1908]
c:\program files\Lexmark 7300 Series\lxcimon.exe [1688]
c:\program files\Lexmark 7300 Series\ezprint.exe [1604]
c:\winnt\loadqm.exe [1920]
c:\program files\Java\jre1.6.0_07\bin\jusched.exe [1888]
c:\winnt\System32\ctfmon.exe [1940]
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE [1952]
c:\program files\MSN Messenger\MsnMsgr.Exe [1692]
c:\mssql7\Binn\sqlmangr.exe [1972]
c:\winnt\System32\lxcicoms.exe [1956]
c:\winnt\explorer.exe [1556]
c:\combofix\catchme.cfexe [1864]
.
**************************************************************************
.
Completion time: 2008-11-09 14:14:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-09 22:14:46
Pre-Run: 27,582,050,304 bytes free
Post-Run: 27,758,112,768 bytes free
288
Here is the log for hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:16:43, on 11/9/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINNT\loadqm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\lxcicoms.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\GoogleToolbar_en_1.1.58-deleon.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-1202660629-1770027372-725345543-1001\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O20 - AppInit_DLLs: yfkdjl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
O23 - Service: lxci_device - - C:\WINNT\System32\lxcicoms.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
--
End of file - 7241 bytes
Thanks, again for all your help.
mjones
Hello,
You're welcome. :) Did you set those 024s yourself? I'd like to know before I move on to the next part of the fix. How is it running please? You had a couple of nasty infections there.
Thanks,
tea
You're welcome. :) Did you set those 024s yourself? I'd like to know before I move on to the next part of the fix. How is it running please? You had a couple of nasty infections there.
Thanks,
tea
Did not set the 024s. I have left the machine alone until I know everything is fine. I am using my laptop.
I have been fighting these infections for over a week trying and tweaking each software fix to get rid of these infections.
I hope it is all over with. Thanks, again for all your help.
What would you like for me to do now?
Thanks.
I have been fighting these infections for over a week trying and tweaking each software fix to get rid of these infections.
I hope it is all over with. Thanks, again for all your help.
What would you like for me to do now?
Thanks.
Hello again,
Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),
Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.
Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
How is it running now please? :)
Thanks,
tea
Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),
Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.
Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
How is it running now please? :)
Thanks,
tea
I think you fix everything. The PC is working good and I am installing all microsoft updates and keeping security measures high with software. Anything you would suggest to better defend against all threats?
Below are the log lists, thanks again for all your help.
Malwarebytes' Anti-Malware 1.30
Database version: 1380
Windows 5.0.2195 Service Pack 2
11/10/2008 8:00:54 AM
mbam-log-2008-11-10 (08-00-54).txt
Scan type: Quick Scan
Objects scanned: 67310
Time elapsed: 6 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:01:49, on 11/10/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINNT\loadqm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\lxcicoms.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\GoogleToolbar_en_1.1.58-deleon.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-1202660629-1770027372-725345543-1001\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O20 - AppInit_DLLs: yfkdjl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
O23 - Service: lxci_device - - C:\WINNT\System32\lxcicoms.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
--
End of file - 7367 bytes
Below are the log lists, thanks again for all your help.
Malwarebytes' Anti-Malware 1.30
Database version: 1380
Windows 5.0.2195 Service Pack 2
11/10/2008 8:00:54 AM
mbam-log-2008-11-10 (08-00-54).txt
Scan type: Quick Scan
Objects scanned: 67310
Time elapsed: 6 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:01:49, on 11/10/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINNT\loadqm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\System32\lxcicoms.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\GoogleToolbar_en_1.1.58-deleon.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PnPDef] C:\Program Files\Lexmark\NetPnP\LexPnPDef.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-1202660629-1770027372-725345543-1001\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NetShowServices')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = whatlowgroup.local
O20 - AppInit_DLLs: yfkdjl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexmark Network Plug and Print (LexPnPAgent) - Lexmark International, Inc. - C:\Program Files\Lexmark\NetPnP\LexPnPAgent.exe
O23 - Service: lxci_device - - C:\WINNT\System32\lxcicoms.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
--
End of file - 7367 bytes
Hello,
You're welcome.
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O20 - AppInit_DLLs: yfkdjl.dll
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
Reboot your computer.
This is what I tell everyone for their security :
Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.
Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.
You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
Please make sure to run your antivirus software regularly, and to keep it up-to-date.
Please also read Tony Klein's excellent article: How I got Infected in the First Place
Take care!
tea
You're welcome.
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O20 - AppInit_DLLs: yfkdjl.dll
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\My Received Files\Grimstad sommeren 2008 065.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Samuel\Alanya2008 007.jpg
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
Reboot your computer.
This is what I tell everyone for their security :
Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.
Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.
You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
Please make sure to run your antivirus software regularly, and to keep it up-to-date.
Please also read Tony Klein's excellent article: How I got Infected in the First Place
Take care!
tea
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.