damian Posted October 22, 2007 Report Share Posted October 22, 2007 this is my hijack this log please help meLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:34:21 PM, on 10/22/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\System32\vifiudeb.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeC:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\WINDOWS\Explorer.EXEC:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exeC:\WINDOWS\System32\msiexec.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [searchIndexer] rundll32.exe "C:\WINDOWS\system32\whrohouu.dll",sitypnowO4 - HKLM\..\RunOnce: [spybotDeletingA8975] command /c del "C:\WINDOWS\system32\usqtoaqr.exe_tobedeleted"O4 - HKLM\..\RunOnce: [spybotDeletingC2800] cmd /c del "C:\WINDOWS\system32\usqtoaqr.exe_tobedeleted"O4 - HKLM\..\RunOnce: [spybotDeletingA2065] command /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKLM\..\RunOnce: [spybotDeletingC5864] cmd /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheckO4 - HKLM\..\RunOnce: [spybotDeletingA1204] command /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKLM\..\RunOnce: [spybotDeletingC743] cmd /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKLM\..\RunOnce: [spybotDeletingA9306] command /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKLM\..\RunOnce: [spybotDeletingC5575] cmd /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\RunOnce: [spybotDeletingB809] command /c del "C:\WINDOWS\system32\usqtoaqr.exe_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingD9651] cmd /c del "C:\WINDOWS\system32\usqtoaqr.exe_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingB7739] command /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingD7097] cmd /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingB2384] command /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingD4224] cmd /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingB7307] command /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O4 - HKCU\..\RunOnce: [spybotDeletingD296] cmd /c del "C:\WINDOWS\system32\hggdcba.dll_tobedeleted"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Filter hijack: text/html - {F9E8FA45-13A2-487F-88EF-E8D6CCC62D94} - C:\WINDOWS\System32\pjdg.dllO23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeO23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeO23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeO23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeO23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--End of file - 5740 bytes Link to post Share on other sites
sari Posted October 23, 2007 Report Share Posted October 23, 2007 damian,Hello, and welcome to Besttechie.net. Your log tells me that Spybot has been trying to delete files on reboot, but either you haven't rebooted or it's not been able to do so. I believe you also have a vundo infection. Please do the following for me:Go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe, right click on it, and rename it to hjt.exe. Please scan again and post the new hijackthis log for me.Thanks,sari Link to post Share on other sites
damian Posted October 23, 2007 Author Report Share Posted October 23, 2007 i hope i renamed it right. thanx for the helpLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:00:56 PM, on 10/23/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\system32\flooptnk.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeC:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\hjt.exe.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: (no name) - {2632CB6A-0A81-1938-807B-74129546BC9B} - C:\WINDOWS\System32\ekzwdgor.dll (file missing)O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\System32\hggdcba.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {B8A8BB13-5FC8-4ED8-9A79-9EA42A43DFF7} - C:\WINDOWS\system32\lgaavcrl.dllO2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\System32\gswdbqii.dllO2 - BHO: (no name) - {D2740E58-F1E1-4A95-A305-DF80CDC78938} - C:\WINDOWS\System32\jkklk.dllO2 - BHO: (no name) - {D5F55E01-73FA-4DED-905A-96C1FCF615A1} - C:\WINDOWS\System32\pjdg.dll (file missing)O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [searchIndexer] rundll32.exe "C:\WINDOWS\system32\sojesfeb.dll",sitypnowO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Filter hijack: text/html - {F9E8FA45-13A2-487F-88EF-E8D6CCC62D94} - C:\WINDOWS\System32\pjdg.dllO20 - Winlogon Notify: hggdcba - C:\WINDOWS\SYSTEM32\hggdcba.dllO20 - Winlogon Notify: jkklk - C:\WINDOWS\System32\jkklk.dllO20 - Winlogon Notify: winpez32 - winpez32.dll (file missing)O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)O23 - Service: DomainService - - C:\WINDOWS\system32\flooptnk.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeO23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeO23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeO23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeO23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--End of file - 5786 bytes Link to post Share on other sites
sari Posted October 23, 2007 Report Share Posted October 23, 2007 damian,Download ComboFix from Here or Here to your Desktop.Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stallThanks,sari Link to post Share on other sites
damian Posted October 24, 2007 Author Report Share Posted October 24, 2007 here goes thank you ComboFix 07-10-23.2 - Front Desk 2007-10-23 17:18:10.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -7:00]Running from: C:\Documents and Settings\Front Desk\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\Front Desk\My Documents\FNTS~1C:\Documents and Settings\Front Desk\My Documents\SEMBLY~1C:\Program Files\Common Files\{307EA~1C:\Program Files\Common Files\{307EA~1\Activate.exeC:\Program Files\Common Files\{307EA~1\Uninst.exeC:\Program Files\Common Files\{307EA~1\UnInstall.exeC:\Program Files\Common Files\racle~1C:\Program Files\oin searchC:\Program Files\oin search\OINSearch.dllC:\Program Files\oin search\Uninstall.exeC:\Program Files\outerinfoC:\Program Files\outerinfo\OiUninstaller.exeC:\Program Files\outerinfo\outerinfo.icoC:\Program Files\outerinfo\Terms.rtfC:\Program Files\safety barC:\Program Files\safety bar\Uninstall.batC:\WA6PC:\WINDOWS\cookies.iniC:\WINDOWS\curity~1C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exeC:\WINDOWS\hostsC:\WINDOWS\racle~1C:\WINDOWS\racle~1\?racle\C:\WINDOWS\sks~1C:\WINDOWS\stem32~1C:\WINDOWS\stem32~1\??stem32\C:\WINDOWS\system32\airggcro.exeC:\WINDOWS\system32\aobikaba.exeC:\WINDOWS\system32\befsejos.iniC:\WINDOWS\system32\componentsC:\WINDOWS\system32\dcnbwmvs.exeC:\WINDOWS\system32\ddaba.dllC:\WINDOWS\system32\efngdgne.iniC:\WINDOWS\system32\engdgnfe.dllC:\WINDOWS\system32\epwkdphg.iniC:\WINDOWS\system32\esqygmbu.dllC:\WINDOWS\system32\fabfshxr.exeC:\WINDOWS\system32\fftskkat.exeC:\WINDOWS\system32\flooptnk.exeC:\WINDOWS\system32\ghpdkwpe.dllC:\WINDOWS\system32\gjkogynq.dllC:\WINDOWS\system32\gswdbqii.dllC:\WINDOWS\system32\hggdcba.dllC:\WINDOWS\system32\ihxiorct.dllC:\WINDOWS\system32\jkklk.dllC:\WINDOWS\system32\jrfpcpyq.dllC:\WINDOWS\system32\juypdfjd.exeC:\WINDOWS\system32\klkkj.bak1C:\WINDOWS\system32\klkkj.bak2C:\WINDOWS\system32\klkkj.iniC:\WINDOWS\system32\klkkj.ini2C:\WINDOWS\system32\klkkj.tmpC:\WINDOWS\system32\kpanfmty.exeC:\WINDOWS\system32\leohrovo.dllC:\WINDOWS\system32\lgaavcrl.dllC:\WINDOWS\system32\lqnrsdux.iniC:\WINDOWS\system32\lqwgixod.exeC:\WINDOWS\system32\lwlhdqxa.exeC:\WINDOWS\system32\mcjtjvwy.dllC:\WINDOWS\system32\mfjmofqw.exeC:\WINDOWS\system32\mjfkwpeu.exeC:\WINDOWS\system32\ocnyajps.dllC:\WINDOWS\system32\oewmemik.exeC:\WINDOWS\system32\oonqtouu.dllC:\WINDOWS\system32\ovorhoel.iniC:\WINDOWS\system32\ovqcrsad.exeC:\WINDOWS\system32\oxwvyian.dllC:\WINDOWS\system32\pskxxbrd.dllC:\WINDOWS\system32\qgtfeajc.exeC:\WINDOWS\system32\qnygokjg.iniC:\WINDOWS\system32\qpwbkwvq.exeC:\WINDOWS\system32\qydawuus.exeC:\WINDOWS\system32\qypcpfrj.iniC:\WINDOWS\system32\rdbjfdfp.exeC:\WINDOWS\system32\sctrgnpe.exeC:\WINDOWS\system32\sks~1C:\WINDOWS\system32\sojesfeb.dllC:\WINDOWS\system32\spjaynco.iniC:\WINDOWS\system32\stbqbqqm.dllC:\WINDOWS\system32\txsvslhi.exeC:\WINDOWS\system32\ubmgyqse.iniC:\WINDOWS\system32\upgnovqu.exeC:\WINDOWS\system32\utmyimgn.exeC:\WINDOWS\system32\uuohorhw.iniC:\WINDOWS\system32\uuotqnoo.iniC:\WINDOWS\system32\vfomowcq.exeC:\WINDOWS\system32\vifiudeb.exeC:\WINDOWS\system32\vtutt.dllC:\WINDOWS\system32\wblpgdua.dllC:\WINDOWS\system32\whrohouu.dllC:\WINDOWS\system32\wnstssv.exeC:\WINDOWS\system32\xudsrnql.dllC:\WINDOWS\system32\xukpitki.dllC:\WINDOWS\system32\xwwgccln.exeC:\WINDOWS\system32\ywvjtjcm.ini.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\LEGACY_COM+_MESSAGES-------\LEGACY_DOMAINSERVICE-------\LEGACY_FOPN-------\DomainService((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 ))))))))))))))))))))))))))))))).2007-10-23 17:07 51,200 --a------ C:\WINDOWS\NirCmd.exe2007-10-23 12:30 <DIR> d-------- C:\Program Files\Common Files\xing shared2007-10-22 12:51 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys2007-10-22 12:51 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe2007-10-22 12:51 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll2007-10-22 10:39 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll2007-10-21 22:19 221,184 --a------ C:\WINDOWS\system32\wmpns.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-10-23 19:29 --------- d-----w C:\Program Files\Common Files\Real2007-10-04 05:48 --------- d-----w C:\Documents and Settings\Front Desk\Application Data\MSN62001-07-26 23:58 47 -c--a-w C:\Program Files\ACMonitor_X73.ini2001-07-05 19:46 8,116 -c--a-w C:\Program Files\OSLO3071b2.USB2001-05-11 18:39 53,248 -c--a-w C:\Program Files\ACMonitor_X73.exe2001-05-08 23:36 114,688 -c--a-w C:\Program Files\lxarscan.dll2001-04-23 21:22 1,437 -c--a-w C:\Program Files\gtx73.ini2001-02-22 16:54 768 -c--a-w C:\Program Files\x73_lut.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2632CB6A-0A81-1938-807B-74129546BC9B}] C:\WINDOWS\System32\ekzwdgor.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5F55E01-73FA-4DED-905A-96C1FCF615A1}] C:\WINDOWS\System32\pjdg.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-07-31 17:12][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpez32] winpez32.dll R2 SonyFKC;Keyboard State Detection Service;C:\WINDOWS\system32\Drivers\SonyFKC.sysR3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sysR3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYSS3 SISNPF;SIS Netgroup Packet Filter;C:\WINDOWS\system32\drivers\SISNPF.sys.Contents of the 'Scheduled Tasks' folder"2005-03-22 22:47:05 C:\WINDOWS\Tasks\Registration reminder 1.job"- C:\WINDOWS\System32\OOBE\oobebaln.exe"2005-03-22 22:47:05 C:\WINDOWS\Tasks\Registration reminder 2.job"- C:\WINDOWS\System32\OOBE\oobebaln.exe"2005-03-22 22:47:05 C:\WINDOWS\Tasks\Registration reminder 3.job"- C:\WINDOWS\System32\OOBE\oobebaln.exe.**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-10-23 17:37:56Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-10-23 17:39:11 - machine was rebooted . --- E O F --- Link to post Share on other sites
sari Posted October 24, 2007 Report Share Posted October 24, 2007 damian,That cleaned up a lot of nasty files. May I please see a new hijackthis log?Thanks,sari Link to post Share on other sites
damian Posted October 25, 2007 Author Report Share Posted October 25, 2007 you are an angel. new hjt log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:57:36 PM, on 10/24/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeC:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\hjt.exe.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: (no name) - {2632CB6A-0A81-1938-807B-74129546BC9B} - C:\WINDOWS\System32\ekzwdgor.dll (file missing)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {D5F55E01-73FA-4DED-905A-96C1FCF615A1} - C:\WINDOWS\System32\pjdg.dll (file missing)O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: winpez32 - winpez32.dll (file missing)O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeO23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeO23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeO23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeO23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--End of file - 5107 bytes Link to post Share on other sites
sari Posted October 25, 2007 Report Share Posted October 25, 2007 damian,I'm sure there are people that would say I'm no angel! My kids, especially. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. HJT Entries go hereNow close all windows other than HiJackThis, then click Fix Checked. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please post a new hijackthis log and let me know how things are running.sari Link to post Share on other sites
damian Posted October 26, 2007 Author Report Share Posted October 26, 2007 there are no entries listed. how msny kids? Link to post Share on other sites
sari Posted October 26, 2007 Report Share Posted October 26, 2007 damian,Sorry about that. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {2632CB6A-0A81-1938-807B-74129546BC9B} - C:\WINDOWS\System32\ekzwdgor.dll (file missing)O2 - BHO: (no name) - {D5F55E01-73FA-4DED-905A-96C1FCF615A1} - C:\WINDOWS\System32\pjdg.dll (file missing)O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O20 - Winlogon Notify: winpez32 - winpez32.dll (file missing)Now close all windows other than HiJackThis, then click Fix Checked. I have 2 teenage girls (and no sanity left).sari Link to post Share on other sites
damian Posted October 27, 2007 Author Report Share Posted October 27, 2007 here is my new log file. thanks again. 2 teens wow thats rough. i have a 3 yr boy and and am expecting twins!!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:38:12 PM, on 10/26/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeC:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\hjt.exe.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exeO23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exeO23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exeO23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exeO23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe--End of file - 4704 bytes Link to post Share on other sites
sari Posted November 1, 2007 Report Share Posted November 1, 2007 damian,Your log is clean now - how are things running? You'll have no sanity left after your twins are born! Congratulations on that!sari Link to post Share on other sites
Recommended Posts