Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Losing The Trojan War... Please Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 pugmann

pugmann

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 09 September 2006 - 04:00 AM

I have been hijacked. I run a scan, but cannot delete the files. My virus protection has been good about denying access for these... but my computer is suffering. I would like for someone to review the HJT log please.

Logfile of HijackThis v1.99.1
Scan saved at 4:53:01 AM, on 9/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\Wireless Panel\WPanel.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [1021a76c.exe] C:\WINDOWS\system32\1021a76c.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [1021a76c.exe] C:\Documents and Settings\User\Local Settings\Application Data\1021a76c.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Wireless Panel.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe



Thank you.

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 09 September 2006 - 08:47 AM

Hi pugmann and welcome to BleepingComputer :thumbsup:

You got some infections...

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 pugmann

pugmann
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 09 September 2006 - 02:39 PM

Thanks for your help.

Here is the content.

SmitFraudFix v2.85

Scan done at 15:37:07.07, Sat 09/09/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\User\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\User\FAVORI~1

C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"

[HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g177124531.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g177124531.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"

[HKEY_CLASSES_ROOT\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\compstuih.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\compstuih.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

[HKEY_CLASSES_ROOT\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InProcServer32]
@="C:\WINDOWS\system32\admparsek.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InProcServer32]
@="C:\WINDOWS\system32\admparsek.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection


End

Thanks again.

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 10 September 2006 - 03:24 AM

Hi again, we'll begin the cleaning process.

You should print these instructions or save these to a text file. Follow these instructions carefully.

At first, rename HijackThis.exe to Scanner.exe.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Download win32delfkil.exe.
Save it on your desktop.
Close all windows.
Double click on win32delfkil.exe to start the removaltool.
The computer will reboot automatically.
After reboot a logfile will open: c:\windelf.txt, close this window.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked.
If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [1021a76c.exe] C:\WINDOWS\system32\1021a76c.exe
O4 - HKCU\..\Run: [1021a76c.exe] C:\Documents and Settings\User\Local Settings\Application Data\1021a76c.exe
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files(if present):
C:\WINDOWS\system32\1021a76c.exe
C:\Documents and Settings\User\Local Settings\Application Data\1021a76c.exe

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

When you're ready, post the following logs to here:
- a fresh HijackThis (scanner.exe) log
- contents of C:\Rapport.txt
- contens of C:\windelf.txt

Then we'll continue :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 pugmann

pugmann
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 11 September 2006 - 08:59 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:57:37 AM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\Wireless Panel\WPanel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
D:\HJT\Scanner.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {933BE542-A998-4518-ACA8-E940F7A2AFEC} - C:\WINDOWS\system32\geecy.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\compstuih.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Wireless Panel.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: geecy - C:\WINDOWS\system32\geecy.dll
O20 - Winlogon Notify: h618 - C:\WINDOWS\g177124531.dll
O20 - Winlogon Notify: wintxs32 - C:\WINDOWS\SYSTEM32\wintxs32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe







SmitFraudFix v2.85

Scan done at 12:53:09.08, Sun 09/10/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"

[HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g177124531.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g177124531.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"

[HKEY_CLASSES_ROOT\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\compstuih.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\compstuih.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

[HKEY_CLASSES_ROOT\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InProcServer32]
@="C:\WINDOWS\system32\admparsek.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InProcServer32]
@="C:\WINDOWS\system32\admparsek.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"

[HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g177124531.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g177124531.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"

[HKEY_CLASSES_ROOT\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\compstuih.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\compstuih.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

[HKEY_CLASSES_ROOT\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InProcServer32]
@="C:\WINDOWS\system32\admparsek.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InProcServer32]
@="C:\WINDOWS\system32\admparsek.dll"



End



There is no file - contens of C:\windelf.txt

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 11 September 2006 - 09:57 AM

Hi again, well continue :thumbsup:

Did you ran win32delfkil.exe at all?

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Then:

Download win32delfkil.exe.
Save it on your desktop.
Close all windows.
Double click on win32delfkil.exe to start the removaltool.
The computer will reboot automatically.
After reboot a logfile will open: c:\windelf.txt
Post the contents of the logfile, along with a new HijackThis log and the contents of C:\vundofix.txt

Then we'll continue :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 pugmann

pugmann
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 11 September 2006 - 03:42 PM

wow... that took hours.

WIN32DELFKIL LOGFILE - by Marckie


version 3.01
Mon 09/11/2006 11:47:12.70
running from: "C:\Documents and Settings\User\Desktop"


--- File(s) found in Windows directory ---
g177124531.dll
compstuih.dll

--- File(s) found in system32 folder ---
compstuih.dll

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"



--- sharedtaskkey (1): 259BA022-2005-45E9-A965-10EDB9C00618 ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}]
@="C:\\WINDOWS\\g177124531.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InprocServer32]
@="C:\\WINDOWS\\g177124531.dll"
"ThreadingModel"="Apartment"

checking for file:
g177124531.dll found
g177124531.dll deleted!


--- sharedtaskkey (2): A4F94C0C-54A7-4DB1-9AF3-B22E63D00322 ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InprocServer32]
@="C:\\WINDOWS\\compstuih.dll"
"ThreadingModel"="Apartment"

checking for file:
compstuih.dll found
compstuih.dll deleted!


--- sharedtaskkey (3): 0B5F7FDF-0717-45BF-B49D-695F3168C7FE ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InprocServer32]
@="C:\\WINDOWS\\system32\\admparsek.dll"
"ThreadingModel"="Apartment"

checking for file:
admparsek.dll NOT found

--- Notify key ---
subkey h618 is present!


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!



And for the HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 4:41:01 PM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\Wireless Panel\WPanel.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D7A6AD61-A96E-4590-965B-A134F51B104F} - C:\WINDOWS\system32\geecy.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Wireless Panel.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe



Thanks again for all of your help.

I owe you a virtual beer.

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 11 September 2006 - 11:18 PM

Hi again, it is looking better now :thumbsup:

We still have something to do...

You seem to have this Sony Vaio support agent enabled. The program can be regarded as spyware. If you do not use it, I suggest that you disable it.
I have marked it to my instructions with blue so if you want to use it, skip the blue step.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download and install ewido anti-spyware 4.0
  • Open ewido anti-spyware
  • Click on the Update icon at the top of the window
    • Click on the Start update button
    • Wait for the update to download and install
  • Click Guard
  • Click under "resident shield is"
  • Change it from active to inactive
  • Quit the program, well use this later.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked.
If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {D7A6AD61-A96E-4590-965B-A134F51B104F} - C:\WINDOWS\system32\geecy.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE The following will clear all of your cookies, forms and history from FireFox. Feel free to skip this step.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: The following will clear all of your cookies, forms and history from Opera. Feel free to skip this step.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now scan your computer with Ewido.
  • Open Ewido
  • Click on the Scanner icon at the top of the window
  • Click on the Settings tab then select Recommended Options and choose Quarantine
  • Click on the Scan tab
  • Select Complete System Scan. Ewido will now begin to scan your system
[*]When the scan has completed, if infections were found, press Apply all actions .
[*]Then click on the Save Scan Report button and save the scan to your Desktop where it can be easily found
[*]Copy and paste the scan results into your next post.
[/list]When you're ready, post the following logs to here:
- Ewido's report
- a fresh HijackThis log
- contents of C:\vundofix.txt

Edited by Mr_JAk3, 12 September 2006 - 08:04 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 pugmann

pugmann
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 September 2006 - 07:41 AM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:32:11 AM 9/12/2006

+ Scan result:



C:\_backupD\compstuih.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\_backupD\g177124531.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\Cache\50C07025d02/crack.exe -> Downloader.VB.alt : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\Y1GCMS0B\l11[1].exe -> Downloader.Zlob.aek : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\65VOTONM\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@hollywoodentertainment.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@sonycorporate.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.126:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
:mozilla.294:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.295:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.296:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.297:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.330:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.341:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.342:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.363:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.364:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.336:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@e-2dj6wfkoqicpado.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@e-2dj6whlogpdjaco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.300:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.303:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.305:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@ehg-gamespot.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@ehg-sonycomputer.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@ehg-sportingbet.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.208:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
:mozilla.274:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.214:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.316:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.243:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.244:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.308:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.309:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.310:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.311:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.179:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.191:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.192:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.193:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.194:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.195:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.196:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.198:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.199:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.200:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.201:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.202:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.215:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
:mozilla.216:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
:mozilla.217:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
:mozilla.218:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
:mozilla.164:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
:mozilla.165:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.234:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.113:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.88:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\qqm1rmh5.default\Cache\50C07025d02/install.exe -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4HMZ4PQZ\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\65VOTONM\srvqze[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\M0YBKXEJ\srvdji[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\QO8XBK26\srvcpy[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\Y1GCMS0B\srvnny[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end



And for the HJT...



Logfile of HijackThis v1.99.1
Scan saved at 8:39:32 AM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\Wireless Panel\WPanel.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Wireless Panel.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe




Thank you, Thank You, THANK YOU!

#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 12 September 2006 - 08:08 AM

Hi again, it s looking clean now :thumbsup:
Although I noticed that you haven't posted the contents of C:\vundofix.txt, please post those to here too.

How is the computer running?

Now you can remove win32delfkil and smitfraudfix, we don't need those anymore.

You can also remove this folder:
C:\_backupD

Now you can clean Ewido's Quarantine:
  • Open Ewido
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
If you're not using the latest java , you should update your Java to the latest version (5.0 update 8 )
  • Start
  • Control Panel
  • Add/Remove Programs
  • Delete the old Java, J2SE Runtime Environment or similar entries
  • Then we'll get the latest version of Java -> LINK
  • Scroll down to Java Runtime Environment (JRE) 5.0 Update 8
  • Download & install it
So please post the contents of C:\vundofix.txt to here, I just want to be sure that you're clean :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 pugmann

pugmann
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 September 2006 - 01:07 PM

I thought I had posted this already. Oh well. Here it is.


VundoFix V6.1.4

Checking Java version...

Sun Java not detected
Scan started at 11:51:58 AM 9/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\geecy.dll
C:\WINDOWS\system32\yceeg.ini
C:\WINDOWS\system32\yceeg.bak1
C:\WINDOWS\system32\yceeg.bak2
C:\WINDOWS\system32\opnlkhi.dll
C:\WINDOWS\system32\wintxs32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geecy.dll
C:\WINDOWS\system32\geecy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yceeg.ini
C:\WINDOWS\system32\yceeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yceeg.bak1
C:\WINDOWS\system32\yceeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yceeg.bak2
C:\WINDOWS\system32\yceeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnlkhi.dll
C:\WINDOWS\system32\opnlkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wintxs32.dll
C:\WINDOWS\system32\wintxs32.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.4

Checking Java version...

Sun Java not detected
Scan started at 12:06:31 PM 9/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\geecy.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geecy.dll
C:\WINDOWS\system32\geecy.dll Has been deleted!

Performing Repairs to the registry.
Done!


Let me know what you think.

Thanks again. The system seems to be running well.

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 12 September 2006 - 01:14 PM

Hi again, looks good, you're clean now :thumbsup:

You can remove VundoFix too...

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use Ewido
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?

UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 pugmann

pugmann
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 13 September 2006 - 12:10 PM

Thank you sooo much. You saved me.

You are wonderful.

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:19 AM

Posted 13 September 2006 - 12:20 PM

You're very welcome, it is always nice to help :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users