winloginhook - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

May 16^th, 2008, 3:34am

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   winloginhook

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: winloginhook (Read 577 times)

naanbread
Newbie

Posts: 14

winloginhook
« on: Feb 7^th, 2008, 8:30am »

Quote

Modify

Ive read a few other topics about this, and I have got the same problem.

If anyone can help, It would be much appreciated

Ive run CCleaner and Hijackhis both in safemode...

heres Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:26:08, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hijackthis\AnalyseMe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: {d1bef5af-abcb-f9cb-5ce4-cac018e3de10} - {01ed3e81-0cac-4ec5-bc9f-bcbafa5feb1d} - C:\WINDOWS\system32\xpgfhxhl.dll
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7911F96F-1A75-4646-BAD3-9C41EE5A6DBE} - C:\WINDOWS\system32\jkkji.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A1A23B1C-41B1-4978-A039-8C39E3A4B0E6} - C:\WINDOWS\system32\ssqqnml.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qt activex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab50997.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games � Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games � Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: ssqqnml - C:\WINDOWS\SYSTEM32\ssqqnml.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ServiceCheck - {d6582a8a-fca3-408e-baee-a375276e58af} - C:\WINDOWS\Installer\{d6582a8a-fca3-408e-baee-a375276e58af}\ServiceCheck .dll
O21 - SSODL: zip - {25a7492e-2069-4cde-96b8-03e88fe7017f} - C:\WINDOWS\Installer\{25a7492e-2069-4cde-96b8-03e88fe7017f}\zip.dll
O21 - SSODL: ServiceSetup - {c450cddb-4f73-466b-b106-140684e84824} - C:\WINDOWS\Installer\{c450cddb-4f73-466b-b106-140684e84824}\ServiceSetup .dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax Cool

- Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: winloginhook
« Reply #1 on: Feb 7^th, 2008, 11:33am »

Quote

Modify

Welcome to the forum naanbread � Cheesy

Yes, you do have some nasty critters on your system. �Please do this first:

1. �Go to the link below and download Combofix.exe. �Save it on your desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. �Deactivate all of your security programs EXCEPT your software firewall. �This will prevent these security programs from interfering with Combofix.

3. �Close your browser

4. �Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

5. �Please post back here the Combofix log and a new Hijackthis log. Please be sure the HJT log is while running in Normal Mode.

« Last Edit: Feb 7^th, 2008, 12:20pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

naanbread
Newbie

Posts: 14

Re: winloginhook
« Reply #2 on: Feb 7^th, 2008, 12:28pm »

Quote

Modify

right, ive done wat uve said and here are the logs...

guna have to multipost here, duno if thats against the rules... becaus emessage is too long.. Wink

IP Logged

naanbread
Newbie

Posts: 14

Re: winloginhook
« Reply #3 on: Feb 7^th, 2008, 12:28pm »

Quote

Modify

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18:24:38, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\AnalyseMe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qt activex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab50997.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games � Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games � Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ServiceCheck - {d6582a8a-fca3-408e-baee-a375276e58af} - C:\WINDOWS\Installer\{d6582a8a-fca3-408e-baee-a375276e58af}\ServiceCheck .dll
O21 - SSODL: zip - {25a7492e-2069-4cde-96b8-03e88fe7017f} - C:\WINDOWS\Installer\{25a7492e-2069-4cde-96b8-03e88fe7017f}\zip.dll
O21 - SSODL: ServiceSetup - {c450cddb-4f73-466b-b106-140684e84824} - C:\WINDOWS\Installer\{c450cddb-4f73-466b-b106-140684e84824}\ServiceSetup .dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax Cool

IP Logged

naanbread
Newbie

Posts: 14

Re: winloginhook
« Reply #4 on: Feb 7^th, 2008, 12:29pm »

Quote

Modify

combofix:

ComboFix 08-02.05.3 - user 2008-02-07 17:55:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.570 [GMT 0:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\ssqqnml.dll
C:\Documents and Settings\user\Application Data\ShoppingReport
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\user\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\drivers\sfsync03.sys
C:\WINDOWS\system32\drvgopr.dll
C:\WINDOWS\system32\drvmajr.dll
C:\WINDOWS\system32\drvpujr.dll
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\oyaguulk.dll
C:\WINDOWS\system32\ssqqnml.dll
C:\WINDOWS\system32\update32.exe
C:\WINDOWS\system32\vuhgdfvk.dll
C:\WINDOWS\system32\winghy32.dll
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wmrrwcby.dll
C:\WINDOWS\system32\xpgfhxhl.dll
C:\WINDOWS\system32\yvbedujp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\LEGACY_SFSYNC03
-------\ntload
-------\sfsync03

((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 17:51 . 2008-02-07 17:5111,776--a------C:\Program Files\tmp150718.exe
2008-02-07 17:50 . 2008-02-07 17:5010,240--a------C:\Program Files\tmp143265.exe
2008-02-07 16:57 . 2008-02-07 16:570--a------C:\WINDOWS\system32\wscmp.dll.tmp
2008-02-07 16:54 . 2008-02-07 16:54<DIR>d--------C:\Documents and Settings\user\Application Data\report
2008-02-07 16:54 . 2008-02-07 16:54<DIR>d--------C:\Documents and Settings\user\Application Data\Documents and Settings
2008-02-07 16:54 . 2008-02-07 16:5410,240--a------C:\Program Files\tmp145843.exe
2008-02-07 16:50 . 2008-02-07 16:501,355--a------C:\WINDOWS\imsins.BAK
2008-02-07 13:32 . 2008-02-07 14:26<DIR>d--------C:\hijackthis
2008-02-07 13:16 . 2008-02-07 13:16103,936--a------C:\WINDOWS\system32\drvpuj.dll
2008-02-07 12:30 . 2008-02-07 12:30<DIR>d--------C:\ShoppingReport
2008-02-07 12:30 . 2008-02-07 12:30<DIR>d--------C:\Documents and Settings\user\user
2008-02-07 12:30 . 2008-02-07 12:30<DIR>d--------C:\Documents and Settings\user\ShoppingReport
2008-02-07 12:30 . 2008-02-07 12:30<DIR>d--------C:\Documents and Settings\user\Documents and Settings
2008-02-07 12:30 . 2008-02-07 12:30<DIR>d--------C:\Documents and Settings\user\cs
2008-02-07 12:30 . 2008-02-07 12:30<DIR>d--------C:\Application Data
2008-02-07 12:25 . 2008-02-07 12:25<DIR>d--------C:\Documents and Settings\user\Application Data\user
2008-02-07 12:25 . 2008-02-07 12:2546,080--a------C:\Program Files\tmp156140.exe
2008-02-07 12:25 . 2008-02-07 12:2511,776--a------C:\Program Files\tmp156328.exe
2008-02-07 12:25 . 2008-02-07 12:2511,776--a------C:\Program Files\tmp154421.exe
2008-02-07 12:25 . 2008-02-07 12:2511,776--a------C:\Program Files\tmp152890.exe
2008-02-07 12:25 . 2008-02-07 12:2510,240--a------C:\Program Files\tmp147281.exe
2008-02-07 12:13 . 2008-02-07 12:134,298--a------C:\WINDOWS\system32\tmp.reg
2008-02-07 12:12 . 2007-09-05 23:22289,144--a------C:\WINDOWS\system32\VCCLSID.exe
2008-02-07 12:12 . 2006-04-27 16:49288,417--a------C:\WINDOWS\system32\SrchSTS.exe
2008-02-07 12:12 . 2008-02-06 00:0385,504--a------C:\WINDOWS\system32\VACFix.exe
2008-02-07 12:12 . 2008-01-27 14:3781,920--a------C:\WINDOWS\system32\IEDFix.exe
2008-02-07 12:12 . 2003-06-05 20:1353,248--a------C:\WINDOWS\system32\Process.exe
2008-02-07 12:12 . 2004-07-31 17:5051,200--a------C:\WINDOWS\system32\dumphive.exe
2008-02-07 12:12 . 2007-10-03 23:3625,600--a------C:\WINDOWS\system32\WS2Fix.exe
2008-02-07 09:48 . 2008-02-07 18:102,364--a------C:\WINDOWS\system32\wpa.dbl
2008-02-06 23:22 . 2008-02-06 23:220--a------C:\WINDOWS\system32\sex1.ico.tmp
2008-02-06 23:21 . 2008-02-06 23:210--a------C:\WINDOWS\system32\sex2.ico.tmp
2008-02-06 22:19 . 2008-02-06 22:19<DIR>d--------C:\user
2008-02-06 22:19 . 2008-02-06 22:19<DIR>d--------C:\Documents and Settings\user\Application Data\Application Data
2008-02-06 20:44 . 2008-02-06 20:4410,240--a------C:\Program Files\tmp17574484.exe
2008-02-06 20:43 . 2008-02-06 20:43103,936--a------C:\WINDOWS\system32\drvgop.dll
2008-02-06 20:43 . 2008-02-06 20:4310,240--a------C:\Program Files\tmp17527765.exe
2008-02-04 22:09 . 2008-02-04 22:22<DIR>d--------C:\Program Files\The All-Seeing Eye
2008-02-04 21:58 . 2008-02-04 21:5822,328--a------C:\Documents and Settings\user\Application Data\PnkBstrK.sys
2008-02-04 18:22 . 2006-12-08 12:02251,672--a------C:\WINDOWS\system32\xactengine2_5.dll
2008-02-04 18:22 . 2006-09-28 16:05237,848--a------C:\WINDOWS\system32\xactengine2_4.dll
2008-02-04 18:21 . 2008-02-04 18:21319--a------C:\WINDOWS\game.ini
2008-02-04 18:11 . 2008-02-04 18:11<DIR>d--------C:\Program Files\Activision
2008-02-04 15:29 . 2008-02-04 15:29103,936--a------C:\WINDOWS\system32\drvmaj.dll
2008-02-04 15:29 . 2008-02-04 15:2915,872--a------C:\WINDOWS\system32\drvkop.dll
2008-02-04 15:26 . 2008-02-04 15:26<DIR>d--hs----C:\WINDOWS\ftpcache
2008-02-01 22:01 . 2008-02-01 22:0115--a------C:\WINDOWS\system32\ioncprv.cna
2008-02-01 21:59 . 2008-02-01 22:18<DIR>d--------C:\My Media
2008-02-01 21:58 . 2008-02-01 22:01<DIR>d--------C:\Program Files\Audio Converter
2008-02-01 21:43 . 2008-02-01 21:43<DIR>d--------C:\Program Files\Audacity
2008-01-31 02:02 . 2008-01-31 02:0254,608--a------C:\WINDOWS\system32\xfcodec.dll
2008-01-25 17:16 . 2008-01-25 17:16<DIR>d--------C:\Program Files\CCleaner
2008-01-19 14:39 . 2008-01-19 14:39<DIR>d--------C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-19 14:38 . 2008-01-19 14:38<DIR>d--------C:\Program Files\Last.fm
2008-01-14 23:06 . 2008-01-14 23:06<DIR>d--------C:\Documents and Settings\user\dwhelper
2008-01-12 11:45 . 2008-01-12 11:45<DIR>d--------C:\Games
2008-01-09 16:08 . 2008-02-04 21:57<DIR>d--------C:\Documents and Settings\user\Application Data\Azureus
2008-01-09 16:08 . 2008-01-09 16:08<DIR>d--------C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-09 16:06 . 2008-01-09 16:07<DIR>d--------C:\Program Files\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 18:11---------d-----wC:\Program Files\Common Files\Symantec Shared
2008-02-07 12:46---------d-----wC:\Program Files\Opera
2008-02-06 15:52---------d-s---wC:\Program Files\Xfire
2008-02-05 22:1322,328----a-wC:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-05 22:09---------d-----wC:\Documents and Settings\user\Application Data\Xfire
2008-02-05 17:45---------d--h--wC:\Program Files\InstallShield Installation Information
2008-02-04 22:54---------d-----wC:\Program Files\Conquer 2.0
2008-02-01 21:5773,216----a-wC:\WINDOWS\ST6UNST.EXE
2008-02-01 21:57245,760------wC:\WINDOWS\Setup1.exe
2008-01-23 22:4244,568----a-wC:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 18:31---------d-----wC:\Program Files\MSN Messenger
2008-01-16 18:31---------d-----wC:\Program Files\Messenger Plus! Live
2008-01-09 16:21---------d-----wC:\Documents and Settings\user\Application Data\uTorrent
2008-01-08 22:04---------d-----wC:\Program Files\QuickTime
2008-01-07 18:31---------d-----wC:\Program Files\DivX
2008-01-04 15:00---------d-----wC:\Program Files\Norton Security Scan
2007-12-25 21:14---------d-----wC:\Program Files\easetech
2007-12-22 16:25---------d-----wC:\Program Files\ImTOO
2006-06-23 06:4832,768----a-rC:\WINDOWS\inf\UpdateUSB.exe
2006-02-19 03:2812,288----a-wC:\WINDOWS\Fonts\RandFont.dll
2006-09-03 15:2132--sha-wC:\WINDOWS\{0B64A116-C1D7-4C50-AFB5-A1915648B8FB}.dat
2006-09-03 15:2332--sha-wC:\WINDOWS\{CD3E3353-BABA-473B-ABE5-86134DBC5573}.dat
2006-09-03 15:2132--sha-wC:\WINDOWS\system32\{478D9150-1401-44E8-82DC-6048D4411F8C} .dat
2006-09-03 15:2332--sha-wC:\WINDOWS\system32\{A84F0114-C7A2-431C-B8B5-0A9FFA5CC81C} .dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
C:\Program Files\Outerinfo\Outerinfo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-09-13 08:22 3054592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 08:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 02:01 32768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-09-14 19:21 54976]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-14 19:22 38592]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-26 21:35 79480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-18 22:23 185784]
"YeppStudioAgent"="C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe" [2005-10-11 10:11 40960]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32 221184]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 15:21 270336]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-16 11:58 213936]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 07:52 218232]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-01 16:01:28 110592]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-19 14:38:27 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-01 16:01:28 110592]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-09-01 18:40:07 589824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ServiceCheck"= {d6582a8a-fca3-408e-baee-a375276e58af} - C:\WINDOWS\Installer\{d6582a8a-fca3-408e-baee-a375276e58af}\ServiceCheck .dll [2008-02-06 20:43 14374]
"zip"= {25a7492e-2069-4cde-96b8-03e88fe7017f} - C:\WINDOWS\Installer\{25a7492e-2069-4cde-96b8-03e88fe7017f}\zip.dll [2008-02-07 12:25 39462]
"ServiceSetup"= {c450cddb-4f73-466b-b106-140684e84824} - C:\WINDOWS\Installer\{c450cddb-4f73-466b-b106-140684e84824}\ServiceSetup .dll [2008-02-07 13:16 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-05 15:36 140976 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 05:03]
S3 jnv4_mib;jnv4_mib;C:\DOCUME~1\user\LOCALS~1\Temp\jnv4_mib.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 17:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-04 15:00:12 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-02-07 18:10:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************************************ **

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 18:11:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\Installer\{d6582a8a-fca3-408e-baee-a375276e58af}\ServiceCheck .dll
-> C:\WINDOWS\Installer\{c450cddb-4f73-466b-b106-140684e84824}\ServiceSetup .dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
.
************************************************************************ **
.
Completion time: 2008-02-07 18:23:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 18:22:57
.
2008-01-25 17:29:00--- E O F ---

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: winloginhook
« Reply #5 on: Feb 7^th, 2008, 1:36pm »

Quote

Modify

Okay, ComboFix did a great amount of cleaning. Now please do this.

1. Run another HiJackthis scan.

2. When the scan is completed, place a checkmark in the box next to the following items. BE SURE that these are the only items checked.

O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU

3. Close your browser

4. Click on Fix Checked in the lower left of the HiJackthis window. Confirm that you want HJT to fix these items and let it fix them.

5. Close HJT and immediately reboot.

Now, your Java applet is severely out of date and needs to be updated for security reasons. (C:\Program Files\Java\jre1.5.0_11)

1. Please go to the link below and update Java.

http://www.java.com

2. Once the update is installed, please go to Add/Remove Programs in the Control Panel and uninstall any old version of Java. Unfortunately Java does not remove older versions automatically when it updates.

3. Then post back here a new HJT log.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

naanbread
Newbie

Posts: 14

Re: winloginhook
« Reply #6 on: Feb 7^th, 2008, 3:05pm »

Quote

Modify

Ive done all this, but stuff is still happening, like when i click links in iexplorer, it loads the page AND THEN it loads about 4 more pages, of search engines searching the stuff iv typed.. i cant rely explain it Undecided

but u probably know wat i mean

anyway, heres the log file u asked for:

Logfile of HijackThis v1.99.1
Scan saved at 21:02:47, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\AnalyseMe.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qt activex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab50997.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games � Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games � Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ServiceCheck - {d6582a8a-fca3-408e-baee-a375276e58af} - C:\WINDOWS\Installer\{d6582a8a-fca3-408e-baee-a375276e58af}\ServiceCheck .dll
O21 - SSODL: zip - {25a7492e-2069-4cde-96b8-03e88fe7017f} - C:\WINDOWS\Installer\{25a7492e-2069-4cde-96b8-03e88fe7017f}\zip.dll
O21 - SSODL: ServiceSetup - {c450cddb-4f73-466b-b106-140684e84824} - C:\WINDOWS\Installer\{c450cddb-4f73-466b-b106-140684e84824}\ServiceSetup .dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax Cool

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: winloginhook
« Reply #7 on: Feb 7^th, 2008, 3:39pm »

Quote

Modify

Okay, your HJT is not showing other infections; however, there is probably more on your system that HJT cannot detect.

Please do the following:

1. I am confident that your System Restore is infected. Please go to the link below and follow the instructions on how to clean up System Restore.

http://www.misec.net/forum/board/FAQ/1139255588

2. Delete ComboFix.exe from your Desktop so that it will not get falsely detected in the steps below.

- Also delete the Combofix Quarantine folder.

3. Download and install the Trial Version of TrojanHunter. The download link is at the top of this forum. Once you get TrojanHunter installed, please manually update the detection rules to the latest rulesets. (The trial version of TH does not activate the LiveUpdate module for automatic updates). The link below is for manually updating the rulesets.

http://www.misec.net/trojanhunter/updating/

4. Then reboot your computer into SAFE MODE.

5. Run a full scan of your system with TrojanHunter. Let it quarantine what it finds.

6. Reboot your computer into Normal Mode.

7. Run a remote scan of your system with Kaspersky AV. The link below is for the remote scanner.

http://www.kaspersky.com/virusscanner

- BE SURE to deactivate your other security programs (except your firewall) prior to running the Kaspersky scan.

- BE SURE to run a FULL scan of your computer. This might take a while depending on the size of your system.

- Let Kaspersky clean what it finds.

8. There is a strong probability that your HOSTS file which is used by IE7 has been infected. Please check it as follows.

- Using Windows Explorer, navigate to the etc folder located at C:\Windows\System32\Drivers\etc. Open the etc folder.

- Locate the file named HOSTS (with no extension).

- Right click on HOSTS and open it with NotePad.

- The very first executable entry MUST be

127.0.0.1 localhost

(Note that lines starting with a # are comment lines and are okay.)

- Every entry after 127.0.0.1 localhost MUST start with 127.0.0.1

- If the above HOSTS file does not have

127.0.0.1 localhost

as the first executable entry, use NotePad>edit and insert 127.0.0.1 localhost as the first entry.

- If any entries after 127.0.0.1 localhost do not start with 127.0.0.1, remove the entries.

- Then SAVE the HOSTS file if you made any changes to it.

9. Post back here the scan log from the TrojanHunter scan. It is located at C:\Program Files\TrojanHunter 5.0\Scan Reports.

10. Post back here the Kaspersky scan results.

11. Also indicate if you found problems in your HOSTS file and if your system is now acting normally

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: winloginhook
« Reply #8 on: Feb 8^th, 2008, 12:04am »

Quote

Modify

In addition to my post above, would you please tell me what version of Norton Anti-virus you are running (NAV 2003, 2004, 2005, 2006, 2007 or 2008?)

Is the subscription on Norton active and are the detections up-to-date?

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

naanbread
Newbie

Posts: 14

Re: winloginhook
« Reply #9 on: Feb 8^th, 2008, 2:02am »

Quote

Modify

Kapersky didnt clean anything, it just had the option to send

The

heres the log for trojanhunter:

TrojanHunter Scan Report - Saved 2008-02-08 00:18

Found trojan file: C:\Documents and Settings\user\Desktop\New Folder\iw3sp.exe (Generic.LdPinch.A)
Found trojan file: C:\Documents and Settings\user\Desktop\SmitfraudFix\exit.exe (RiskTool.ExitProcess.100)
Error: Error while pre-processing C:\Documents and Settings\user\My Documents\My Videos\Veoh\1_VeohSetup-3.7.1.1044.exe: Access violation at address 004DA45F in module 'TrojanHunter.exe'. Read of address 04B6D00C
Error: Error while pre-processing C:\Documents and Settings\user\My Documents\My Videos\Veoh\1_VeohSetup-3.7.1.1044.exe: Access violation at address 004DA45F in module 'TrojanHunter.exe'. Read of address 04B6D00C
Found trojan file: C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3sp.exe (Generic.LdPinch.A)
Found trojan file: C:\Program Files\DAEMON Tools\chkupd.exe (Generic.Agent.C)
Found possible trojan file: C:\Program Files\tmp150718.exe (Possible trojan downloader)
Found possible trojan file: C:\Program Files\tmp152890.exe (Possible trojan downloader)
Found possible trojan file: C:\Program Files\tmp154421.exe (Possible trojan downloader)
Found possible trojan file: C:\Program Files\tmp156328.exe (Possible trojan downloader)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\drvgopr.dll.vir (Vundo.50 Cool

Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\drvmajr.dll.vir (Vundo.50 Cool

Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\drvpujr.dll.vir (Vundo.50 Cool

Found possible trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\ieupdates.exe.vir/Upxxkronjpj (SDBot)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\ntload.sys.vir (Delf.807)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\oyaguulk.dll.vir (Generic.Vundo.B)
Found possible trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\update32.exe.vir/Upxaffmidfu (SDBot)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\vuhgdfvk.dll.vir (Generic.Vundo.B)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\wmrrwcby.dll.vir (Generic.Vundo.B)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\xpgfhxhl.dll.vir (Generic.Vundo.B)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\yvbedujp.dll.vir (Generic.Vundo.B)
Found trojan file: C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\c atchme2008-02-07_181039.51.zip/jkkji.dll (Vundo.770)
Found trojan file: C:\WINDOWS\Downloaded Program Files\gsda.dll (TrojanDownloader.SpyGame.100)
Quarantined file C:\Documents and Settings\user\Desktop\New Folder\iw3sp.exe
Quarantined file C:\Documents and Settings\user\Desktop\SmitfraudFix\exit.exe
Quarantined file C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3sp.exe
Quarantined file C:\Program Files\DAEMON Tools\chkupd.exe
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\drvgopr.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\drvmajr.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\drvpujr.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\ntload.sys.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\oyaguulk.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\vuhgdfvk.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\wmrrwcby.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\xpgfhxhl.dll.vir
Quarantined file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\yvbedujp.dll.vir
Unable to clean file C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\c atchme2008-02-07_181039.51.zip/jkkji.dll because it is contained in a Zip or Rar archive
Quarantined file C:\WINDOWS\Downloaded Program Files\gsda.dll

IP Logged

naanbread
Newbie

Posts: 14

Re: winloginhook
« Reply #10 on: Feb 8^th, 2008, 2:03am »

Quote

Modify

Kapersky:

KASPERSKY ONLINE SCANNER REPORT
Friday, February 08, 2008 7:54:03 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 553665

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 272491
Number of viruses found 10
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 01:50:08

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Confdntl.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Spam.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\WebHist.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\user\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\user\Local Settings\Application Data\Last.fm\Client\LastFmHelper.log Object is locked skipped

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\user\Local Settings\Temp\~DF140D.tmp Object is locked skipped

C:\Documents and Settings\user\Local Settings\Temp\~DF22A7.tmp Object is locked skipped

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SymNeti1000.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SymNeti1001.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SymNeti1002.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SymNeti1003.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SymNeti1004.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SymNeti1005.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton Personal Firewall\nisum.dat Object is locked skipped

C:\Program Files\tmp143265.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\Program Files\tmp145843.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\Program Files\tmp147281.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\Program Files\tmp156140.exe Infected: Trojan-Downloader.Win32.Agent.ipp skipped

C:\Program Files\tmp17527765.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\Program Files\tmp17574484.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll.vir Infected: not-a-virus:AdWare.Win32.Shopper.q skipped

C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\ieupdates.exe.vir Infected: Backdoor.Win32.Delf.ave skipped

C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\update32.exe.vir Infected: Backdoor.Win32.Delf.ave skipped

C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\winghy32.dll.vir Infected: Trojan.Win32.Dialer.yz skipped

C:\RECYCLER\S-1-5-21-854245398-115176313-725345543-1004\Dc3\Quarantine\C \WINDOWS\system32\winsrc.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.ys skipped