Jump to content


Photo

Unable to run HijackThis!! Please Help!!


  • This topic is locked This topic is locked
26 replies to this topic

#1 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 20 November 2006 - 08:21 PM

Hi, I think my IE browser has been hijacked because I've been getting quite a lot of pop-ups recently. So I decided to run HijackThis for a log scan but the program won't open anymore.

I noticed that iexplore replaced my Internet Explorer in the start menu. Could this have anything to do with why HijackThis won't run? I even tried running it in Safe Mode but it still won't load. Plus I can't run msconfig, I had to access Safe Mode from pressing F5 on start up.

This is getting really serious. Everytime I start up my computer a blue screen appears causing it to crash and when I finally get it running a window says your system has recovered from a serious error. My CPU is making loud churning noises, probably because its running a lot of processes that's beyond my control. The system is overheating big time...

I can now no longer start up my computer in normal mode because the blue screen comes up and crashes everytime. I can only work in Safe Mode.

Someone please help me, it's getting really urgent...thanks!

Note: My CPU usage is always 50% or higher, even though I'm not running any programs...like literally just doing nothing. This is starting to worry me :weep:

Edited by Daylight, 25 November 2006 - 07:55 PM.


#2 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 20 November 2006 - 09:24 PM

Hi, I suspect my IE browser has been hijacked because I've been getting quite a lot of pop-ups recently. I decided to run a scan using HijackThis but it won't load up. For some reason I can't run msconfig as well.

My CPU usage is always 50% or greater, even though I'm not running any programs...literally just doing nothing. This is really starting to worry me.

Please if anyone can help me, I'd really appreciate it. Thanks!

Btw, I'm using Windows XP.

Edited by Daylight, 20 November 2006 - 09:29 PM.


#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,485 posts

Posted 23 November 2006 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 26 November 2006 - 03:57 PM

Ok guys, I managed to run HijackThis after renaming it to HJT.exe.
Below is my log (done in Safe Mode). I appreciate any help. Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 20:53:47, on 26/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
F2 - REG:system.ini: Shell=Explorer.exe 1
O1 - Hosts: 222.208.183.175 zt.abcoll.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.s...ad/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 26 November 2006 - 10:10 PM

Please run HijackThis, Scan
Check box for:

F2 - REG:system.ini: Shell=Explorer.exe 1

O1 - Hosts: 222.208.183.175 zt.abcoll.com

O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

Select: Fix checked

====
Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Run, type in: notepad):

C:\WINDOWS\Download\svhost32.exe
C:\Program Files\Microsoft\svhost32.exe
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\down\rundll32.exe
C:\WINDOWS\Intel\rundll32.exe



Next, download Killbox:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Double-click on the red circle with white X to run it.

At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.

====
You are not running an AntiVirus program or a Firewall!!
Please take action now to install.

Free AntiVirus programs:

Grisoftís AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

avast! 4 Home: http://www.avast.com...ast_4_home.html

AntiVir Personal Edition: http://www.free-av.com/


Also, you need to install a software Firewal!!
Some good free choices are:

ZoneAlarm:
http://www.zonelabs....lid=dbtopnav_za

Sunbelt Kerio:
http://www.sunbelt-s...e.com/Kerio.cfm

OutPost:
http://www.agnitum.c...ee/download.php

====
When done, run HijackThis once again, and post a new log.

Edited by FZWG, 26 November 2006 - 10:23 PM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#6 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 27 November 2006 - 02:04 AM

Ok I did what you said up to installing Grisoft's AVG Anti-Virus. But after successfully installing and restarting my laptop, an error message appeared saying: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

This error message also appears when I try to run the AVG Anti-Virus. And for some reason it appears again when I try to open HijackThis as well. Below is a new HijackThis log done from Safe Mode.

Most of the entries you told me to fix are still present in the log :rant: ...What should I do now? :scratchhead:

Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 06:54:30, on 27/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WINLOGON.EXE
C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.s...ad/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...anner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Daylight, 27 November 2006 - 02:14 AM.


#7 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 27 November 2006 - 09:51 AM

Restart in Safe Mode and run HijackThis
Scan, and check box for:

F2 - REG:system.ini: Shell=Explorer.exe 1

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

Select: Fix checked

====
Still in Safe Mode, enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

====
Still in Safe Mode, remove the following folders (bold):
C:\WINDOWS\down
C:\WINDOWS\Intel

Also remove the following files (bold):
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\Download\svhost32.exe

====
Restart the computer normally.

====
Also download: combofix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

Please post combofix.txt in your reply, and a new HijackThis log.
IPB Image

There are times when everything is understood...then one regains consciousness!

#8 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 27 November 2006 - 10:59 AM

When trying to remove C:\WINDOWS\WINLOGON.EXE, an error message came up and said: Cannot delete WINLOGON; Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

But after trying again, I managed to delete it...however the following entries can't seem to be fixed, they just keep coming back:

F2 - REG:system.ini: Shell=Explorer.exe 1

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

And along with those entries above, the C:\WINDOWS\WINLOGON.EXE file has re-appeared again. :grrr:

Below is the combofix.txt and a new HijackThis log (both had to be performed in Safe Mode because somehow it won't allow me to run programs in normal mode...the message from earlier comes up i.e. Windows cannot access the specified device, path, or file. etc.)

------------------------------------------------------

Hom Wah - 06-11-27 15:36:44.05 Service Pack 1
ComboFix 06.11.26W - Running from: "C:\Documents and Settings\Hom Wah\My Documents"

------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:13, on 06-11-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HJT.exe
C:\WINDOWS\WINLOGON.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.s...ad/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...anner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





Edit: Fresh HijackThis Log

Edited by Daylight, 27 November 2006 - 02:22 PM.


#9 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 27 November 2006 - 06:17 PM

There should be alot more to the ComboFix log than what you posted.

Did you get a ComboFix.txt from it?
IPB Image

There are times when everything is understood...then one regains consciousness!

#10 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 27 November 2006 - 06:27 PM

The window closes automatically after a while. But there's nothing from it, no txt file or log...

The icons on my desktop disappear and there's no sign of any activity from it. How long does it generally take to produce a log?

The only ComboFix.txt is what I posted and it's located in my (C:) drive.

Thanks!

Edited by Daylight, 27 November 2006 - 06:32 PM.


#11 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 27 November 2006 - 07:40 PM

Ok good news! I deleted ComboFix and re-downloaded it. This time it managed to complete the scan and produced a log. The old ComboFix.exe must have been truncated I guess.

Anyway, here's the ComboFix log...and I've also provided a fresh HijackThis log further down...

Thanks!


Hom Wah - 06-11-28 0:05:28.96 Service Pack 1
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Hom Wah\My Documents"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\regedit.com
d:\pagefile.pif
d:\autorun.inf
C:\WINDOWS\1.com
C:\WINDOWS\exeroute.exe
C:\WINDOWS\explorer.com
C:\WINDOWS\finder.com
C:\WINDOWS\vbarun.dll
C:\WINDOWS\winlogon.exe
C:\WINDOWS\debug\debugprogram.exe
C:\WINDOWS\Help\wshmcepts.chm
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\dxdiag.com
C:\WINDOWS\system32\finder.com
C:\WINDOWS\system32\msconfig.com
C:\WINDOWS\system32\Ravdm.exe
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rundll32.com
C:\WINDOWS\system32\winasse.exe
C:\WINDOWS\system32\xydll.dll
C:\WINDOWS\system32\ztdll.dll
C:\WINDOWS\system32\drivers\Rinld.sys
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini
C:\WINDOWS\system32\8.exe
C:\Program Files\internet explorer\iexplore.com
C:\Program Files\Common Files\iexplore.pif
C:\WINDOWS\system32\8.exe
C:\WINDOWS\system32\KB8964225.log
C:\WINDOWS\system32\drivers\npf.sys
C:\Documents and Settings\All Users\Documents\Settings
C:\WINDOWS\system32\Update


((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))


2006-11-27 15:49 <DIR> d-------- C:\WINDOWS\temp
2006-11-27 09:03 <DIR> d-------- C:\!KillBox
2006-11-27 06:40 42,496 --a------ C:\WINDOWS\tdll.dll
2006-11-27 06:40 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-27 06:30 <DIR> d-------- C:\Documents and Settings\Hom Wah\Application Data\AVG7
2006-11-27 06:29 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-27 06:29 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-27 06:29 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-27 06:29 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-27 06:29 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-27 06:29 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-27 06:29 <DIR> d-------- C:\Program Files\Grisoft
2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-26 00:59 3,672 --a------ C:\WINDOWS\system32\norton.sys
2006-11-22 15:03 39,936 --a------ C:\WINDOWS\rxdll.dll
2006-11-21 00:49 241,664 --a------ C:\WINDOWS\system32\cqdd.exe
2006-11-21 00:12 91,244 --a------ C:\WINDOWS\system32\ExesFisle.exe
2006-11-21 00:12 137,216 --a------ C:\WINDOWS\winpsfisle.dll
2006-11-03 18:42 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2006-11-02 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 00:14 -------- d-------- C:\Program Files\Internet Explorer
2006-11-28 00:14 -------- d-------- C:\Program Files\Common Files
2006-11-27 06:11 -------- d-------- C:\Program Files\Microsoft
2006-11-21 00:48 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\uTorrent
2006-11-20 06:06 -------- d-------- C:\Program Files\FlashGet
2006-10-25 00:36 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\Media Player Classic
2006-10-24 23:05 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-10-04 14:07 10675 --a------ C:\WINDOWS\system32\comine.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
@=""
"InfoPenOL"=""
"RealUpdate"="C:\\WINDOWS\\System32\\update/Update.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CARPService"="carpserv.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"LXSUPMON"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools-1033"="\"H:\\Emulators\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{267709FD-A691-43B0-BF38-0DF6887A9B44}"=""
"{3B151C23-1C23-B150-23B1-C2315C23B150}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-28 0:14:20.94
C:\ComboFix.txt ... 06-11-28 00:14


----------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 01:16:20, on 28/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.s...ad/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...anner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Daylight, 27 November 2006 - 08:17 PM.


#12 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 27 November 2006 - 10:47 PM

The good news is that you got HijackThis to run in other than Safe Mode, and you also got ComboFix to work.

The bad news is that a very nasty Infostealer Trojan, has taken hold of the computer. The Trojan changes lots of Registry keys to keep installing the infection, and may cause a lot of damage to the computer. There is also other malware present.

We can make an attempt to clean things up, but there is no guarantee that the malware is totally gone.

Knowing the above, if you want to go another round, do the following:

If you have an older version of Ewido, uninstall it, and download/install the new version called AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

====
Next, launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{267709FD-A691-43B0-BF38-0DF6887A9B44}"=-
"{3B151C23-1C23-B150-23B1-C2315C23B150}"=-


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

====
Next, run HijackThis, Scan
Check box for:

O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\System32\update/Update.exe

Select: Fix checked

====
Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

====
Search for and remove the following folder (bold):
C:\WINDOWS\system32\update

====
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

====
Still in Safe Mode, launch AVG AS
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

====
Restart the computer.

====
Please provide the following:
The AVG AS report
A new HijackThis log
IPB Image

There are times when everything is understood...then one regains consciousness!

#13 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 28 November 2006 - 09:17 AM

AIn addition to the above, also, do the following:

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Run, type in: notepad):

C:\WINDOWS\rxdll.dll
C:\WINDOWS\system32\cqdd.exe
C:\WINDOWS\system32\ExesFisle.exe
C:\WINDOWS\winpsfisle.dll


Run KillBox
At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.
IPB Image

There are times when everything is understood...then one regains consciousness!

#14 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 28 November 2006 - 10:52 AM

For some strange reason, nothing is pasted when I try to paste from clipboard in Killbox after copying those files from notepad. I had no problems with it before.

Anyway, here's the report from AVG AS and a fresh HijackThis log...

Thanks!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:15:35 28/11/2006

+ Scan result:



C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107840.exe -> Downloader.Delf.akd : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107851.exe -> Downloader.Delf.anx : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108124.exe -> Downloader.Delf.anx : Cleaned.
C:\WINDOWS\system32\comine.exe -> Downloader.Delf.aza : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108132.exe -> Downloader.Delf.azz : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@banner.clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@clubdicecasino[1].txt -> TrackingCookie.Clubdicecasino : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@ads.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Hom Wah\Cookies\hom wah@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107844.dll -> Trojan.Agent.hk : Cleaned.
C:\WINDOWS\system32\cqdd.exe -> Trojan.Agent.jc : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107811.exe -> Trojan.Delf.lx : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107859.exe -> Trojan.Delf.lx : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107890.exe -> Trojan.Delf.lx : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107898.exe -> Trojan.Delf.lx : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096550.exe -> Trojan.Delf.ns : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107808.exe -> Trojan.Delf.po : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107860.exe -> Trojan.Delf.po : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096561.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097585.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097616.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099640.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099656.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101665.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105681.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106779.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107848.dll -> Trojan.Delf.sv : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108120.dll -> Trojan.Gamec.bw : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096009.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096081.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096215.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096249.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096341.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096390.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096475.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096564.dll -> Trojan.Lineage.afl : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107810.exe -> Trojan.Lineage.alw : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107889.exe -> Trojan.Lineage.alw : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096010.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096082.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096216.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP494\A0096250.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096342.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096391.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096476.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096562.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096584.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097586.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097614.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099637.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099658.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0100661.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0103661.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105680.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106777.dll -> Trojan.Lineage.em : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107846.dll -> Trojan.Lineage.em : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I3YJUFY1\c[1].gif -> Trojan.Lmir.awg : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108117.exe -> Trojan.Lmir.bah : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP493\A0096085.exe -> Trojan.Lmir.bei : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108119.exe -> Trojan.Lmir.bei : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097582.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097609.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097630.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0098631.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101658.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0102658.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105675.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106773.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107809.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107841.exe -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107861.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107888.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107900.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107911.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107925.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107928.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107981.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107996.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107999.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108104.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108105.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108106.exe -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108107.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108108.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108110.EXE -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108111.exe -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108113.pif -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108114.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108115.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108116.COM -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108118.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108125.com -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108126.pif -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108129.exe -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108194.EXE -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096563.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097587.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097602.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097613.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097634.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0098634.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099639.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099659.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0100650.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0100660.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101661.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0102661.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0104656.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0104662.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0104672.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0105679.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106674.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106680.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106686.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106692.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106698.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106704.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106710.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106716.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106722.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106728.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106734.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106740.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106746.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106753.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106759.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106765.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106776.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107771.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107777.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107783.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107791.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107797.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107803.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107820.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107831.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107873.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107883.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107907.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107921.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107933.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107939.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107945.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107958.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107973.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107980.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107994.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108005.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108012.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108019.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108026.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108052.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108058.pif -> Trojan.Lmir.bfa : Cleaned.
D:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108083.pif -> Trojan.Lmir.bfa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107842.exe -> Trojan.Mefs.h : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107887.exe -> Trojan.Mefs.h : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107899.exe -> Trojan.Mefs.h : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108130.exe -> Trojan.Mefs.h : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0096565.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097584.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097617.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099638.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099657.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0101666.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106780.dll -> Trojan.Nilage.atz : Cleaned.
C:\WINDOWS\rxdll.dll -> Trojan.Nilage.atz : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108168.dll -> Trojan.Nilage.aut : Cleaned.
C:\WINDOWS\system32\ExesFisle.exe -> Trojan.Nilage.aut : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0097615.dll -> Trojan.Nilage.avu : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0099641.dll -> Trojan.Nilage.avu : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0106783.dll -> Trojan.Nilage.avu : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107843.dll -> Trojan.Nilage.avu : Cleaned.
C:\WINDOWS\tdll.dll -> Trojan.Nilage.awa : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107847.exe -> Trojan.Nilage.awd : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0108169.dll -> Trojan.QQPass.pn : Cleaned.
C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495\A0107845.exe -> Trojan.QQRob.jm : Cleaned.


::Report end




----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:43:07, on 28/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.s...ad/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...anner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#15 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 28 November 2006 - 10:00 PM

The HijackThis log is not showing malware! :thumbsup:

However, you have FlashGet installed on the computer.
The trial version bundles adware, however, if you register, the ads disappear.

====
Please run ComboFix once again, and post its report.
IPB Image

There are times when everything is understood...then one regains consciousness!

#16 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 November 2006 - 03:55 AM

Here is the ComboFix report...

Edit: Oh just to let you know, an error message popped up during the ComboFix scan. It said there is no disk in the drive. Please insert a disk into drive\Device\Harddisk1\DR4. And the options available were Cancel; Try again; or Continue (I clicked continue).


Hom Wah - 06-11-29 8:45:07.93 Service Pack 1
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Hom Wah\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))


2006-11-28 10:46 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-28 00:50 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-28 00:50 <DIR> d-------- C:\Program Files\Zone Labs
2006-11-28 00:48 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-28 00:14 <DIR> d-------- C:\WINDOWS\temp
2006-11-27 09:03 <DIR> d-------- C:\!KillBox
2006-11-27 06:40 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-27 06:30 <DIR> d-------- C:\Documents and Settings\Hom Wah\Application Data\AVG7
2006-11-27 06:29 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-27 06:29 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-27 06:29 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-27 06:29 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-27 06:29 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-27 06:29 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-27 06:29 <DIR> d-------- C:\Program Files\Grisoft
2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-27 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-26 00:59 3,672 --a------ C:\WINDOWS\system32\norton.sys
2006-11-03 18:42 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2006-11-02 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 10:43 -------- d-------- C:\Program Files\ewido anti-malware
2006-11-28 00:14 -------- d-------- C:\Program Files\Internet Explorer
2006-11-28 00:14 -------- d-------- C:\Program Files\Common Files
2006-11-27 06:11 -------- d-------- C:\Program Files\Microsoft
2006-11-21 00:48 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\uTorrent
2006-11-20 06:06 -------- d-------- C:\Program Files\FlashGet
2006-10-25 00:36 -------- d-------- C:\Documents and Settings\Hom Wah\Application Data\Media Player Classic
2006-10-24 23:05 -------- d-------- C:\Program Files\K-Lite Codec Pack


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
@=""
"InfoPenOL"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CARPService"="carpserv.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"LXSUPMON"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools-1033"="\"H:\\Emulators\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-29 8:52:59.02
C:\ComboFix.txt ... 06-11-29 08:52
C:\ComboFix2.txt ... 06-11-28 00:14

Edited by Daylight, 29 November 2006 - 03:57 AM.


#17 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 29 November 2006 - 09:50 AM

Please download Windows disinfector DELFAGUI:
http://www.sophos.co...ction/delf.html
Run DELFAGUI
Click the GO button to start the scan

When the scan is done, a C:\resolve.log is produced.
Please post the log in you reply.
IPB Image

There are times when everything is understood...then one regains consciousness!

#18 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 November 2006 - 10:23 AM

Here's the Reslove log...



RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for Troj/Delf-ALI

Data Version 1.01

System scan started at 15:14 on 29 November 2006

Checking for in memory

Could not open process. Process ID: 1540

Could not open process. Process ID: 212

Could not open process. Process ID: 736

Checking for files affected by

Scanning C:


Could not scan 10-{703FDEF9-B8F3-62D9-F281-3A8BEB5AC131}-v1-{405C45AD-7399-4370-816C-4622E30EBF03}-v10-Downloaded.frx

Could not scan 11-{405C45AD-7399-4370-816C-4622E30EBF03}-v11-{405C45AD-7399-4370-816C-4622E30EBF03}-v11-Downloaded.frx

Could not scan 13-{405C45AD-7399-4370-816C-4622E30EBF03}-v13-{405C45AD-7399-4370-816C-4622E30EBF03}-v13-Downloaded.frx

Scanning D:


Checking for registry keys affected by


System scan finished at 15:20 on 29 November 2006

Processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0

#19 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 November 2006 - 12:28 PM

Please try this also. We have to make sure dref didnt spread to any of the exe's. FZWG asked me to take a look here. :


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.




#20 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 November 2006 - 03:48 PM

OK, here's the DrWeb log...


Process.exe;C:\Documents and Settings\Hom Wah\My Documents\Spyware Stuff\win32delfkil;Tool.Prockill;Incurable.Moved.;
A0106786.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.PWS.Lineage;Deleted.;
A0107807.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.PWS.Lineage;Deleted.;
A0107849.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.DownLoader.4995;Deleted.;
A0108017.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;BackDoor.Pigeon.83;Deleted.;
A0108024.exe;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;BackDoor.Pigeon.83;Deleted.;
A0108346.dll;C:\System Volume Information\_restore{6A32A5FD-2EC1-452C-BFEA-8AA6D45A8641}\RP495;Trojan.PWS.Gamania;Deleted.;

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 November 2006 - 05:01 PM

Looks good here. Any problems still? Also please post a new hijackthis log.



#22 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 November 2006 - 05:39 PM

Thanks guys, everything seems to be okay...or so I thought. But it takes unusually long for the system to start up compared to before...the desktop and taskbar icons load up slowly.

The system also overheats extremely quickly causing it to get very hot in seconds...there's this constant whirring noise which sounds louder than ever, sort of like it's trying to read a disc, or loading a program or something. I never noticed any of this before I picked up that nasty trojan. Any ideas or advice please?

Anyway here's a new HijackThis log...


Logfile of HijackThis v1.99.1
Scan saved at 22:33:23, on 29/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Hom Wah\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Emulators\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O15 - Trusted Zone: *.Vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://visualremix.s...ad/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...anner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{08BEB926-3821-472D-A968-E1B6584E5AD1}: NameServer = 192.168.2.1,4.2.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Daylight, 29 November 2006 - 07:45 PM.


#23 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 November 2006 - 09:03 PM

Are the fans operating properly? If its a laptop the heat is causing the processor to slow down thus the system would act slow. This is a laptop?



#24 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 November 2006 - 10:24 PM

Yeah it's a laptop/notebook...but it overheats big time within a few mins after start up. Ever since I picked up that trojan, everytime I start up the system there's a few "grinding" sounds before the desktop is displayed...then during the time it loads the taskbar icons, the whirring noise kicks in. I'm sure it wasn't as hot, loud and obvious before. Heck, even the keyboard feels so warm after several minutes :unsure: ...

So I'm getting kinda worried about it.

Big thanks though for helping me out guys...I really appreciate it.

#25 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 November 2006 - 10:46 PM

its probably just a coincidence as Usually software doesnt affect hardware. I would look to a fan failure possibly. or dust contamination.



#26 Daylight

Daylight

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 30 November 2006 - 12:00 AM

Cool thanks for the suggestions, I'll figure it out...

And I wanna take this time to say that SWI Forums is great :thumbsup: ...keep up the good work guys!

#27 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 30 November 2006 - 08:58 AM

If you are not having malware problems, you are good to go!

Take a good look at the following suggestions to remain malware free:
Tony Kleinís article 'How Did I Get Infected In The First Place'
http://forums.spywar...showtopic=60955

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...

Happy Holidays !! Posted Image
IPB Image

There are times when everything is understood...then one regains consciousness!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button