• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Daylight

Unable to run HijackThis!! Please Help!!

27 posts in this topic

Hi, I think my IE browser has been hijacked because I've been getting quite a lot of pop-ups recently. So I decided to run HijackThis for a log scan but the program won't open anymore.

 

I noticed that iexplore replaced my Internet Explorer in the start menu. Could this have anything to do with why HijackThis won't run? I even tried running it in Safe Mode but it still won't load. Plus I can't run msconfig, I had to access Safe Mode from pressing F5 on start up.

 

This is getting really serious. Everytime I start up my computer a blue screen appears causing it to crash and when I finally get it running a window says your system has recovered from a serious error. My CPU is making loud churning noises, probably because its running a lot of processes that's beyond my control. The system is overheating big time...

 

I can now no longer start up my computer in normal mode because the blue screen comes up and crashes everytime. I can only work in Safe Mode.

 

Someone please help me, it's getting really urgent...thanks!

 

Note: My CPU usage is always 50% or higher, even though I'm not running any programs...like literally just doing nothing. This is starting to worry me :weep:

Edited by Daylight

Share this post


Link to post
Share on other sites

Hi, I suspect my IE browser has been hijacked because I've been getting quite a lot of pop-ups recently. I decided to run a scan using HijackThis but it won't load up. For some reason I can't run msconfig as well.

 

My CPU usage is always 50% or greater, even though I'm not running any programs...literally just doing nothing. This is really starting to worry me.

 

Please if anyone can help me, I'd really appreciate it. Thanks!

 

Btw, I'm using Windows XP.

Edited by Daylight

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Ok guys, I managed to run HijackThis after renaming it to HJT.exe.

Below is my log (done in Safe Mode). I appreciate any help. Thanks!

 

 

Logfile of HijackThis v1.99.1

Scan saved at 20:53:47, on 26/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\WINLOGON.EXE

C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/

F2 - REG:system.ini: Shell=Explorer.exe 1

O1 - Hosts: 222.208.183.175 zt.abcoll.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe

O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe

O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O15 - Trusted Zone: *.Vaio-link.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.spaces.live.com//PhotoUpload/MsnPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

Please run HijackThis, Scan

Check box for:

 

F2 - REG:system.ini: Shell=Explorer.exe 1

 

O1 - Hosts: 222.208.183.175 zt.abcoll.com

 

O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe

O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe

O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

 

Select: Fix checked

 

====

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad

(Start > Run, type in: notepad):

 

C:\WINDOWS\Download\svhost32.exe

C:\Program Files\Microsoft\svhost32.exe

C:\WINDOWS\WINLOGON.EXE

C:\WINDOWS\down\rundll32.exe

C:\WINDOWS\Intel\rundll32.exe

 

 

Next, download Killbox:

http://www.downloads.subratam.org/KillBox.zip

Place it in a folder on the Desktop.

Extract Pocket KillBox from the zip file

Double-click on the red circle with white X to run it.

 

At the main screen of KillBox, select the option: Delete on Reboot

Open the Notepad file saved earlier and copy the files to the clipboard

(Highlight all (Ctrl+A) and Copy (Ctrl + C).

 

In Killbox, go to the File menu, and choose: Paste from Clipboard

Then select: All Files (button)

Now, press the button with a red circle and a white X (Delete File button)

KillBox will alert you the files will be deleted on next reboot, click Yes

When asked to Reboot, select Yes

 

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

 

Also, if the computer does not restart automatically, please restart it manually.

 

====

You are not running an AntiVirus program or a Firewall!!

Please take action now to install.

 

Free AntiVirus programs:

 

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

 

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

 

AntiVir Personal Edition: http://www.free-av.com/

 

 

Also, you need to install a software Firewal!!

Some good free choices are:

 

ZoneAlarm:

http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

 

Sunbelt Kerio:

http://www.sunbelt-software.com/Kerio.cfm

 

OutPost:

http://www.agnitum.com/products/outpostfree/download.php

 

====

When done, run HijackThis once again, and post a new log.

Edited by FZWG

Share this post


Link to post
Share on other sites

Ok I did what you said up to installing Grisoft's AVG Anti-Virus. But after successfully installing and restarting my laptop, an error message appeared saying: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

 

This error message also appears when I try to run the AVG Anti-Virus. And for some reason it appears again when I try to open HijackThis as well. Below is a new HijackThis log done from Safe Mode.

 

Most of the entries you told me to fix are still present in the log :rant: ...What should I do now? :scratchhead:

 

Thanks!

 

 

Logfile of HijackThis v1.99.1

Scan saved at 06:54:30, on 27/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\WINLOGON.EXE

C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/

F2 - REG:system.ini: Shell=Explorer.exe 1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe

O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe

O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe

O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O15 - Trusted Zone: *.Vaio-link.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371110.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Daylight

Share this post


Link to post
Share on other sites

Restart in Safe Mode and run HijackThis

Scan, and check box for:

 

F2 - REG:system.ini: Shell=Explorer.exe 1

 

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe

O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe

O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

 

Select: Fix checked

 

====

Still in Safe Mode, enable the viewing of Hidden Files and Folders as follows:

-At your Desktop, go to Start>My Computer

-Select the Tools menu and then Folder Options

-After the new window appears select the View tab

-Select: Display the contents of system folders

-Under the Hidden files and folders section select: Show hidden files and folders

-Remove the checkmark from Hide file extensions for known file types

-Remove the checkmark from Hide protected operating system files (Recommended)

-Press the Apply button

Click OK

 

====

Still in Safe Mode, remove the following folders (bold):

C:\WINDOWS\down

C:\WINDOWS\Intel

 

Also remove the following files (bold):

C:\WINDOWS\WINLOGON.EXE

C:\WINDOWS\Download\svhost32.exe

 

====

Restart the computer normally.

 

====

Also download: combofix.exe

 

Double-click combofix.exe

Follow the prompts.

(Don't click on the window while the program is running, it may cause your system to hang.)

 

A log, combofix.txt is produced.

 

Please post combofix.txt in your reply, and a new HijackThis log.

Share this post


Link to post
Share on other sites

When trying to remove C:\WINDOWS\WINLOGON.EXE, an error message came up and said: Cannot delete WINLOGON; Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

 

But after trying again, I managed to delete it...however the following entries can't seem to be fixed, they just keep coming back:

 

F2 - REG:system.ini: Shell=Explorer.exe 1

 

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

 

And along with those entries above, the C:\WINDOWS\WINLOGON.EXE file has re-appeared again. :grrr:

 

Below is the combofix.txt and a new HijackThis log (both had to be performed in Safe Mode because somehow it won't allow me to run programs in normal mode...the message from earlier comes up i.e. Windows cannot access the specified device, path, or file. etc.)

 

------------------------------------------------------

 

Hom Wah - 06-11-27 15:36:44.05 Service Pack 1

ComboFix 06.11.26W - Running from: "C:\Documents and Settings\Hom Wah\My Documents"

 

------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 19:13, on 06-11-27

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HJT.exe

C:\WINDOWS\WINLOGON.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/

F2 - REG:system.ini: Shell=Explorer.exe 1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe

O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O15 - Trusted Zone: *.Vaio-link.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371110.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

 

 

 

 

Edit: Fresh HijackThis Log

Edited by Daylight

Share this post


Link to post
Share on other sites

There should be alot more to the ComboFix log than what you posted.

 

Did you get a ComboFix.txt from it?

Share this post


Link to post
Share on other sites

The window closes automatically after a while. But there's nothing from it, no txt file or log...

 

The icons on my desktop disappear and there's no sign of any activity from it. How long does it generally take to produce a log?

 

The only ComboFix.txt is what I posted and it's located in my (C:) drive.

 

Thanks!

Edited by Daylight

Share this post


Link to post
Share on other sites

Ok good news! I deleted ComboFix and re-downloaded it. This time it managed to complete the scan and produced a log. The old ComboFix.exe must have been truncated I guess.

 

Anyway, here's the ComboFix log...and I've also provided a fresh HijackThis log further down...

 

Thanks!

 

 

Hom Wah - 06-11-28 0:05:28.96 Service Pack 1

ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Hom Wah\My Documents"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\regedit.com

d:\pagefile.pif

d:\autorun.inf

C:\WINDOWS\1.com

C:\WINDOWS\exeroute.exe

C:\WINDOWS\explorer.com

C:\WINDOWS\finder.com

C:\WINDOWS\vbarun.dll

C:\WINDOWS\winlogon.exe

C:\WINDOWS\debug\debugprogram.exe

C:\WINDOWS\Help\wshmcepts.chm

C:\WINDOWS\system32\aamd532.dll

C:\WINDOWS\system32\command.pif

C:\WINDOWS\system32\dxdiag.com

C:\WINDOWS\system32\finder.com

C:\WINDOWS\system32\msconfig.com

C:\WINDOWS\system32\Ravdm.exe

C:\WINDOWS\system32\regedit.com

C:\WINDOWS\system32\rundll32.com

C:\WINDOWS\system32\winasse.exe

C:\WINDOWS\system32\xydll.dll

C:\WINDOWS\system32\ztdll.dll

C:\WINDOWS\system32\drivers\Rinld.sys

C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini

C:\WINDOWS\system32\8.exe

C:\Program Files\internet explorer\iexplore.com

C:\Program Files\Common Files\iexplore.pif

C:\WINDOWS\system32\8.exe

C:\WINDOWS\system32\KB8964225.log

C:\WINDOWS\system32\drivers\npf.sys

C:\Documents and Settings\All Users\Documents\Settings

C:\WINDOWS\system32\Update

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))

 

 

2006-11-27 15:49 <DIR> d-------- C:\WINDOWS\temp

2006-11-27 09:03 <DIR> d-------- C:\!KillBox

2006-11-27 06:40 42,496 --a------ C:\WINDOWS\tdll.dll

2006-11-27 06:40 <DIR> dr-h----- C:\$VAULT$.AVG

2006-11-27 06:30 <DIR> d-------- C:\Documents and Settings\Hom Wah\Application Data\AVG7

2006-11-27 06:29 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2006-11-27 06:29 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys

2006-11-27 06:29 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2006-11-27 06:29 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

2006-11-27 06:29 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2006-11-27 06:29 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys

2006-11-27 06:29 <DIR> d-------- C:\Program Files\Grisoft

2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7

2006-11-26 00:59 3,672 --a------ C:\WINDOWS\system32\norton.sys

2006-11-22 15:03 39,936 --a------ C:\WINDOWS\rxdll.dll

2006-11-21 00:49 241,664 --a------ C:\WINDOWS\system32\cqdd.exe

2006-11-21 00:12 91,244 --a------ C:\WINDOWS\system32\ExesFisle.exe

2006-11-21 00:12 137,216 --a------ C:\WINDOWS\winpsfisle.dll

2006-11-03 18:42 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll

2006-11-02 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-11-28 00:14 -------- d-------- C:\Program Files\Internet Explorer

2006-11-28 00:14 -------- d-------- C:\Program Files\Common Files

2006-11-27 06:11 -------- d-------- C:\Program Files\Microsoft

2006-11-21 00:48 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\uTorrent

2006-11-20 06:06 -------- d-------- C:\Program Files\FlashGet

2006-10-25 00:36 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\Media Player Classic

2006-10-24 23:05 -------- d-------- C:\Program Files\K-Lite Codec Pack

2006-10-04 14:07 10675 --a------ C:\WINDOWS\system32\comine.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

@=""

"InfoPenOL"=""

"RealUpdate"="C:\\WINDOWS\\System32\\update/Update.exe"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"CARPService"="carpserv.exe"

"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"

"ATIModeChange"="Ati2mdxx.exe"

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"Mouse Suite 98 Daemon"="ICO.EXE"

"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"

"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"

"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"

"LXSUPMON"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"

"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"

"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"

"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""

"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"

"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"DAEMON Tools-1033"="\"H:\\Emulators\\D-Tools\\daemon.exe\" -lang 1033"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000005

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

"{267709FD-A691-43B0-BF38-0DF6887A9B44}"=""

"{3B151C23-1C23-B150-23B1-C2315C23B150}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoColorChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoDispCPL"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"NoSaveSettings"=dword:00000000

"ClassicShell"=dword:00000000

"NoThemesTab"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktopChanges"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Symantec NetDetect.job

 

Completion time: 06-11-28 0:14:20.94

C:\ComboFix.txt ... 06-11-28 00:14

 

 

----------------------------------------------------

 

 

Logfile of HijackThis v1.99.1

Scan saved at 01:16:20, on 28/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\ICO.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AOL 9.0\aoltray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Sony\vaio media music server\SSSvr.exe

C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe

C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

C:\WINDOWS\System32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O15 - Trusted Zone: *.Vaio-link.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371110.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Daylight

Share this post


Link to post
Share on other sites

The good news is that you got HijackThis to run in other than Safe Mode, and you also got ComboFix to work.

 

The bad news is that a very nasty Infostealer Trojan, has taken hold of the computer. The Trojan changes lots of Registry keys to keep installing the infection, and may cause a lot of damage to the computer. There is also other malware present.

 

We can make an attempt to clean things up, but there is no guarantee that the malware is totally gone.

 

Knowing the above, if you want to go another round, do the following:

 

If you have an older version of Ewido, uninstall it, and download/install the new version called AVG Anti-Spyware:

http://www.ewido.net/en/download/

Locate the icon on the Desktop and double-click it to launch the program.

 

Now, update the definition files:

On the main screen select Update, and then select the Update Now link.

Next, select the Start Update button

(The update starts and a progress bar shows the updates installed.)

 

Once the update completes select: Scanner (the top of the screen)

Select the Settings tab

Once in the Settings screen click on: Recommended actions

Select: Quarantine

Under: Reports, select: Automatically generate report after every scan

Un-Select: Only if threats were found

Close AVG AS for now.

 

====

Next, launch Notepad, (Start > Run, type in: notepad)

Copy/paste all the blue REGEDIT below to it

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{267709FD-A691-43B0-BF38-0DF6887A9B44}"=-

"{3B151C23-1C23-B150-23B1-C2315C23B150}"=-

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: delete.reg

Save as Type: All files

Click: Save

Exit out of Notepad

 

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

 

====

Next, run HijackThis, Scan

Check box for:

 

O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe

 

Select: Fix checked

 

====

Reboot to Safe Mode :

-Restart your computer.

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

====

Search for and remove the following folder (bold):

C:\WINDOWS\system32\update

 

====

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click: Delete Files

When prompted, check: Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

====

Still in Safe Mode, launch AVG AS

Select: Scanner (at the top)

Select the Scan tab

Click on: Complete System Scan

AVG AS begins the scanning process, and it may take a while.

Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

 

Once the scan is complete, AVG AS lists any infections found.

It also automatically sets the recommended action.

Click: Apply all actions

AVG AS will then display: All actions have been applied

 

Next select: Reports (at the top)

Select: Save report as (lower left of the screen)

Save the report to a text file in a location where you can find it!

Close AVG AS.

 

====

Restart the computer.

 

====

Please provide the following:

The AVG AS report

A new HijackThis log

Share this post


Link to post
Share on other sites

AIn addition to the above, also, do the following:

 

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad

(Start > Run, type in: notepad):

 

C:\WINDOWS\rxdll.dll

C:\WINDOWS\system32\cqdd.exe

C:\WINDOWS\system32\ExesFisle.exe

C:\WINDOWS\winpsfisle.dll

 

Run KillBox

At the main screen of KillBox, select the option: Delete on Reboot

Open the Notepad file saved earlier and copy the files to the clipboard

(Highlight all (Ctrl+A) and Copy (Ctrl + C).

 

In Killbox, go to the File menu, and choose: Paste from Clipboard

Then select: All Files (button)

Now, press the button with a red circle and a white X (Delete File button)

KillBox will alert you the files will be deleted on next reboot, click Yes

When asked to Reboot, select Yes

 

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

 

Also, if the computer does not restart automatically, please restart it manually.

Share this post


Link to post
Share on other sites

For some strange reason, nothing is pasted when I try to paste from clipboard in Killbox after copying those files from notepad. I had no problems with it before.

 

Anyway, here's the report from AVG AS and a fresh HijackThis log...

 

Thanks!

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 15:15:35 28/11/2006

 

+ Scan result:

 

 

 

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107840.exe -> Downloader.Delf.akd : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107851.exe -> Downloader.Delf.anx : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108124.exe -> Downloader.Delf.anx : Cleaned.

C:\WINDOWS\system32\comine.exe -> Downloader.Delf.aza : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108132.exe -> Downloader.Delf.azz : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@banner.clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@clubdicecasino[1].txt -> TrackingCookie.Clubdicecasino : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@com[2].txt -> TrackingCookie.Com : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@ads.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.

C:\Documents and Settings\Hom Wah\Cookies\hom wah@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107844.dll -> Trojan.Agent.hk : Cleaned.

C:\WINDOWS\system32\cqdd.exe -> Trojan.Agent.jc : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107811.exe -> Trojan.Delf.lx : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107859.exe -> Trojan.Delf.lx : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107890.exe -> Trojan.Delf.lx : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107898.exe -> Trojan.Delf.lx : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096550.exe -> Trojan.Delf.ns : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107808.exe -> Trojan.Delf.po : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107860.exe -> Trojan.Delf.po : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096561.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097585.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097616.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099640.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099656.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101665.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105681.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106779.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107848.dll -> Trojan.Delf.sv : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108120.dll -> Trojan.Gamec.bw : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096009.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096081.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096215.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096249.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096341.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096390.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096475.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096564.dll -> Trojan.Lineage.afl : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107810.exe -> Trojan.Lineage.alw : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107889.exe -> Trojan.Lineage.alw : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096010.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096082.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096216.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096250.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096342.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096391.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096476.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096562.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096584.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097586.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097614.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099637.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099658.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0100661.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0103661.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105680.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106777.dll -> Trojan.Lineage.em : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107846.dll -> Trojan.Lineage.em : Cleaned.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I3YJUFY1\c[1].gif -> Trojan.Lmir.awg : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108117.exe -> Trojan.Lmir.bah : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096085.exe -> Trojan.Lmir.bei : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108119.exe -> Trojan.Lmir.bei : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097582.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097609.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097630.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0098631.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101658.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0102658.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105675.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106773.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107809.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107841.exe -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107861.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107888.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107900.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107911.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107925.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107928.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107981.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107996.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107999.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108104.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108105.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108106.exe -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108107.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108108.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108110.EXE -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108111.exe -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108113.pif -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108114.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108115.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108116.COM -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108118.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108125.com -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108126.pif -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108129.exe -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108194.EXE -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096563.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097587.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097602.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097613.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097634.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0098634.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099639.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099659.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0100650.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0100660.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101661.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0102661.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0104656.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0104662.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0104672.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105679.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106674.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106680.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106686.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106692.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106698.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106704.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106710.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106716.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106722.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106728.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106734.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106740.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106746.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106753.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106759.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106765.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106776.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107771.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107777.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107783.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107791.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107797.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107803.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107820.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107831.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107873.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107883.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107907.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107921.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107933.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107939.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107945.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107958.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107973.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107980.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107994.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108005.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108012.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108019.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108026.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108052.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108058.pif -> Trojan.Lmir.bfa : Cleaned.

D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108083.pif -> Trojan.Lmir.bfa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107842.exe -> Trojan.Mefs.h : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107887.exe -> Trojan.Mefs.h : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107899.exe -> Trojan.Mefs.h : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108130.exe -> Trojan.Mefs.h : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096565.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097584.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097617.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099638.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099657.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101666.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106780.dll -> Trojan.Nilage.atz : Cleaned.

C:\WINDOWS\rxdll.dll -> Trojan.Nilage.atz : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108168.dll -> Trojan.Nilage.aut : Cleaned.

C:\WINDOWS\system32\ExesFisle.exe -> Trojan.Nilage.aut : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097615.dll -> Trojan.Nilage.avu : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099641.dll -> Trojan.Nilage.avu : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106783.dll -> Trojan.Nilage.avu : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107843.dll -> Trojan.Nilage.avu : Cleaned.

C:\WINDOWS\tdll.dll -> Trojan.Nilage.awa : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107847.exe -> Trojan.Nilage.awd : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108169.dll -> Trojan.QQPass.pn : Cleaned.

C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107845.exe -> Trojan.QQRob.jm : Cleaned.

 

 

::Report end

 

 

 

 

----------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 15:43:07, on 28/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\ICO.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AOL 9.0\aoltray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Sony\vaio media music server\SSSvr.exe

C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe

C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O15 - Trusted Zone: *.Vaio-link.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371110.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Share this post


Link to post
Share on other sites

The HijackThis log is not showing malware! :thumbsup:

 

However, you have FlashGet installed on the computer.

The trial version bundles adware, however, if you register, the ads disappear.

 

====

Please run ComboFix once again, and post its report.

Share this post


Link to post
Share on other sites

Here is the ComboFix report...

 

Edit: Oh just to let you know, an error message popped up during the ComboFix scan. It said there is no disk in the drive. Please insert a disk into drive\Device\Harddisk1\DR4. And the options available were Cancel; Try again; or Continue (I clicked continue).

 

 

Hom Wah - 06-11-29 8:45:07.93 Service Pack 1

ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Hom Wah\Desktop"

 

((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))

 

 

2006-11-28 10:46 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2006-11-28 00:50 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2006-11-28 00:50 <DIR> d-------- C:\Program Files\Zone Labs

2006-11-28 00:48 <DIR> d-------- C:\WINDOWS\Internet Logs

2006-11-28 00:14 <DIR> d-------- C:\WINDOWS\temp

2006-11-27 09:03 <DIR> d-------- C:\!KillBox

2006-11-27 06:40 <DIR> dr-h----- C:\$VAULT$.AVG

2006-11-27 06:30 <DIR> d-------- C:\Documents and Settings\Hom Wah\Application Data\AVG7

2006-11-27 06:29 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2006-11-27 06:29 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys

2006-11-27 06:29 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2006-11-27 06:29 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

2006-11-27 06:29 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2006-11-27 06:29 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys

2006-11-27 06:29 <DIR> d-------- C:\Program Files\Grisoft

2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7

2006-11-26 00:59 3,672 --a------ C:\WINDOWS\system32\norton.sys

2006-11-03 18:42 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll

2006-11-02 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-11-28 10:43 -------- d-------- C:\Program Files\ewido anti-malware

2006-11-28 00:14 -------- d-------- C:\Program Files\Internet Explorer

2006-11-28 00:14 -------- d-------- C:\Program Files\Common Files

2006-11-27 06:11 -------- d-------- C:\Program Files\Microsoft

2006-11-21 00:48 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\uTorrent

2006-11-20 06:06 -------- d-------- C:\Program Files\FlashGet

2006-10-25 00:36 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\Media Player Classic

2006-10-24 23:05 -------- d-------- C:\Program Files\K-Lite Codec Pack

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

@=""

"InfoPenOL"=""

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"CARPService"="carpserv.exe"

"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"

"ATIModeChange"="Ati2mdxx.exe"

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"Mouse Suite 98 Daemon"="ICO.EXE"

"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"

"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"

"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"

"LXSUPMON"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"

"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"

"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"

"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""

"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"

"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"DAEMON Tools-1033"="\"H:\\Emulators\\D-Tools\\daemon.exe\" -lang 1033"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000005

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\

00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoColorChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoDispCPL"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"NoSaveSettings"=dword:00000000

"ClassicShell"=dword:00000000

"NoThemesTab"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktopChanges"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Symantec NetDetect.job

 

Completion time: 06-11-29 8:52:59.02

C:\ComboFix.txt ... 06-11-29 08:52

C:\ComboFix2.txt ... 06-11-28 00:14

Edited by Daylight

Share this post


Link to post
Share on other sites

Here's the Reslove log...

 

 

 

RESOLVE Version 1.07

Copyright © 2004, Sophos Plc, www.sophos.com

 

System disinfection for Troj/Delf-ALI

 

Data Version 1.01

 

System scan started at 15:14 on 29 November 2006

 

Checking for in memory

 

Could not open process. Process ID: 1540

 

Could not open process. Process ID: 212

 

Could not open process. Process ID: 736

 

Checking for files affected by

 

Scanning C:

 

 

Could not scan 10-{703FDEF9-B8F3-62D9-F281-3A8BEB5AC131}-v1-{405C45AD-7399-4370-816C-4622E30EBF03}-v10-Downloaded.frx

 

Could not scan 11-{405C45AD-7399-4370-816C-4622E30EBF03}-v11-{405C45AD-7399-4370-816C-4622E30EBF03}-v11-Downloaded.frx

 

Could not scan 13-{405C45AD-7399-4370-816C-4622E30EBF03}-v13-{405C45AD-7399-4370-816C-4622E30EBF03}-v13-Downloaded.frx

 

Scanning D:

 

 

Checking for registry keys affected by

 

 

System scan finished at 15:20 on 29 November 2006

 

Processes found : 0

Processes terminated or disinfected : 0

Registry keys affected : 0

Registry keys changed : 0

Files found : 0

Files deleted : 0

Share this post


Link to post
Share on other sites

Please try this also. We have to make sure dref didnt spread to any of the exe's. FZWG asked me to take a look here. :

 

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Share this post


Link to post
Share on other sites

OK, here's the DrWeb log...

 

 

Process.exe;C:\Documents and Settings\Hom Wah\My Documents\Spyware Stuff\win32delfkil;Tool.Prockill;Incurable.Moved.;

A0106786.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.PWS.Lineage;Deleted.;

A0107807.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.PWS.Lineage;Deleted.;

A0107849.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.DownLoader.4995;Deleted.;

A0108017.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;BackDoor.Pigeon.83;Deleted.;

A0108024.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;BackDoor.Pigeon.83;Deleted.;

A0108346.dll;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.PWS.Gamania;Deleted.;

Share this post


Link to post
Share on other sites

Thanks guys, everything seems to be okay...or so I thought. But it takes unusually long for the system to start up compared to before...the desktop and taskbar icons load up slowly.

 

The system also overheats extremely quickly causing it to get very hot in seconds...there's this constant whirring noise which sounds louder than ever, sort of like it's trying to read a disc, or loading a program or something. I never noticed any of this before I picked up that nasty trojan. Any ideas or advice please?

 

Anyway here's a new HijackThis log...

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:33:23, on 29/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\ICO.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AOL 9.0\aoltray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Sony\vaio media music server\SSSvr.exe

C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe

C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe

C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O15 - Trusted Zone: *.Vaio-link.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371110.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Daylight

Share this post


Link to post
Share on other sites

Are the fans operating properly? If its a laptop the heat is causing the processor to slow down thus the system would act slow. This is a laptop?

Share this post


Link to post
Share on other sites

Yeah it's a laptop/notebook...but it overheats big time within a few mins after start up. Ever since I picked up that trojan, everytime I start up the system there's a few "grinding" sounds before the desktop is displayed...then during the time it loads the taskbar icons, the whirring noise kicks in. I'm sure it wasn't as hot, loud and obvious before. Heck, even the keyboard feels so warm after several minutes :unsure: ...

 

So I'm getting kinda worried about it.

 

Big thanks though for helping me out guys...I really appreciate it.

Share this post


Link to post
Share on other sites

its probably just a coincidence as Usually software doesnt affect hardware. I would look to a fan failure possibly. or dust contamination.

Share this post


Link to post
Share on other sites

Cool thanks for the suggestions, I'll figure it out...

 

And I wanna take this time to say that SWI Forums is great :thumbsup: ...keep up the good work guys!

Share this post


Link to post
Share on other sites

If you are not having malware problems, you are good to go!

 

Take a good look at the following suggestions to remain malware free:

Tony Klein’s article 'How Did I Get Infected In The First Place'

http://forums.spywareinfo.com/index.php?showtopic=60955

 

Thank you for your patience, and performing the procedures requested.

If you have any questions or comments, post back. Otherwise...

 

Happy Holidays !! f050.gif

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0