Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Cleaning This Pc


  • This topic is locked This topic is locked
2 replies to this topic

#1 hpcomm

hpcomm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 24 October 2006 - 01:25 PM

Ok, I tried this on my own without success. I have a laptop that is running XP and Panda 2007. When the computer starts, Panda finds and says it is deleting a number of files (dload.exe, x.exe, startpage.aao, kernel64 among others). But they keep coming back. Also, an icon keeps popping up that is associated with antispyware soldier.

I have rebooted in safe mode and run the Panda scan and all of the files listed above are deleted. I have also downloaded and run SmitfraudFix, combofix and killbox and they all report that the files have been deleted. But they keep coming back when I reboot in regular mode.

(Moderator edit: log post moved to HJT log Forum for team analysis and member assistance.
Enthusiast)


HERE IS MY HIJACK THIS LOG IN REGULAR MODE:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:41 PM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Work\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1b68470c-2def-493b-8a4a-8e2d81be4ea5} - (no file)
O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e246fae-8420-11d9-870d-000c2917de7f} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file)
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: (no name) - {a6f42cad-2559-48df-af30-89e480af5dfa} - (no file)
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\RunOnce: [Panda_cleaner_326995] C:\Program Files\Panda Software\Panda Internet Security 2007\pavdr.exe 326995
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161664433341
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe


HERE IS THE COMBO FIX LOG:

Administrator - 06-10-24 11:21:00.25 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Work"

((((((((((((((((((((((((((((((( Files Created from 2006-09-24 to 2006-10-24 ))))))))))))))))))))))))))))))))))


2006-10-24 09:32 10,240 --a------ C:\WINDOWS\systeem.exe
2006-10-21 23:04 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-21 23:04 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-21 23:04 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-21 22:03 9,216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2006-10-21 22:03 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2006-10-21 22:03 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2006-10-21 22:03 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2006-10-21 22:03 44,544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2006-10-21 22:03 36,864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2006-10-21 22:03 245,760 --a------ C:\WINDOWS\system32\PavSHook.dll
2006-10-21 22:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-10-21 22:03 23,296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2006-10-21 22:03 185,472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2006-10-21 22:03 16,640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2006-10-21 22:03 16,000 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2006-10-21 22:03 140,416 --a------ C:\WINDOWS\system32\drivers\netflt.sys
2006-10-21 22:03 139,264 --a------ C:\WINDOWS\system32\TpUtil.dll
2006-10-21 22:03 103,936 --a------ C:\WINDOWS\system32\drivers\netfltdi.sys
2006-10-21 22:03 101,888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2006-10-21 21:59 71,552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2006-10-21 17:28 9,216 --a------ C:\WINDOWS\accesss.exe
2006-10-21 17:28 8,704 --a------ C:\WINDOWS\time.exe
2006-10-21 17:28 8,448 --a------ C:\WINDOWS\avpcc.dll
2006-10-21 17:28 32,768 --a------ C:\WINDOWS\system32\mpsegment.exe
2006-10-21 17:28 29,952 --a------ C:\WINDOWS\users32.exe
2006-10-21 17:28 29,952 --a------ C:\WINDOWS\system32\msmsn.exe
2006-10-21 17:28 29,696 --a------ C:\WINDOWS\system32\ace16win.dll
2006-10-21 17:28 27,136 --a------ C:\WINDOWS\cpan.dll
2006-10-21 17:28 21,504 --a------ C:\WINDOWS\winajbm.dll
2006-10-21 17:28 21,248 --a------ C:\WINDOWS\win64.exe
2006-10-21 17:28 20,992 --a------ C:\WINDOWS\system32\anti_troj.exe
2006-10-21 17:28 20,736 --a------ C:\WINDOWS\system32\perfont.exe
2006-10-21 17:28 20,736 --a------ C:\WINDOWS\spp3.dll
2006-10-21 17:28 20,224 --a------ C:\WINDOWS\y.exe
2006-10-21 17:28 20,224 --a------ C:\WINDOWS\clrssn.exe
2006-10-21 17:28 19,968 --a------ C:\WINDOWS\system32\iewd.exe
2006-10-21 17:28 19,456 --a------ C:\WINDOWS\system32\proqlaim.exe
2006-10-21 17:28 18,688 --a------ C:\WINDOWS\xplugin.dll
2006-10-21 17:28 17,408 --a------ C:\WINDOWS\systemcritical.exe
2006-10-21 17:28 16,896 --a------ C:\WINDOWS\window.exe
2006-10-21 17:28 16,384 --a------ C:\WINDOWS\mtwirl32.dll
2006-10-21 17:28 16,128 --a------ C:\WINDOWS\system32\win32hp.dll
2006-10-21 17:28 16,128 --a------ C:\WINDOWS\system32\POPCORN72.EXE
2006-10-21 17:28 15,872 --a------ C:\WINDOWS\winmgnt.exe
2006-10-21 17:28 15,616 --a------ C:\WINDOWS\inetdctr.dll
2006-10-21 17:28 14,592 --a------ C:\WINDOWS\olehelp.exe
2006-10-21 17:28 13,568 --a------ C:\WINDOWS\system32\netstat2.exe
2006-10-21 17:28 11,520 --a------ C:\WINDOWS\notepad32.exe
2006-10-21 17:28 11,008 --a------ C:\WINDOWS\win32e.exe
2006-10-21 17:27 8,192 --a------ C:\WINDOWS\system32\sklmnf.exe
2006-10-21 17:27 45,056 --a------ C:\WINDOWS\system32\msmapi32.exe
2006-10-21 17:27 18,432 --a------ C:\WINDOWS\system32\asgp32.dll
2006-10-21 17:27 13,824 --a------ C:\WINDOWS\system32\intr32.dll
2006-10-21 17:27 10,752 --a------ C:\WINDOWS\system32\instreg_tmp.exe
2006-10-17 12:41 6,276 --a------ C:\WINDOWS\system32\kgguwyym.exe
2006-10-09 23:09 6,276 --a------ C:\WINDOWS\system32\odtqfvux.exe
2006-10-02 23:03 5,332 --a------ C:\WINDOWS\system32\osjustzg.exe
2006-09-30 15:14 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-30 13:31 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2006-09-30 13:31 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2006-09-25 21:33 5,332 --a------ C:\WINDOWS\system32\holifoba.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-23 23:37 -------- d-------- C:\Program Files\Internet Explorer
2006-10-22 22:53 -------- d-------- C:\Program Files\Full Tilt Poker
2006-10-21 22:10 -------- d-------- C:\Program Files\Yahoo!
2006-10-21 22:09 -------- d-------- C:\Program Files\Hijackthis
2006-10-21 21:44 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-21 17:53 -------- d-------- C:\Program Files\QuickTime
2006-10-21 17:53 -------- d-------- C:\Program Files\Messenger
2006-10-16 16:12 -------- d-------- C:\Program Files\Palm
2006-10-14 23:02 -------- d-------- C:\Program Files\Windows Media Player
2006-10-14 23:02 -------- d-------- C:\Program Files\Outlook Express
2006-10-14 23:02 -------- d-------- C:\Program Files\Common Files\System
2006-10-01 00:14 -------- d-------- C:\Program Files\BearShare
2006-10-01 00:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 00:02 -------- d-------- C:\Program Files\Panda Software
2006-09-30 18:20 -------- d-------- C:\Program Files\Symantec Technical Support
2006-09-30 15:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-09-30 14:57 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-09-30 12:09 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-09-30 12:09 -------- d-------- C:\Program Files\Common Files
2006-09-30 10:41 -------- d-------- C:\Program Files\UTStarcom
2006-09-18 10:54 5332 --a------ C:\WINDOWS\system32\nkcekwtu.exe
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-11 10:19 5332 --a------ C:\WINDOWS\system32\mmrijjoq.exe
2006-09-05 11:48 -------- d-------- C:\Program Files\Poker Tournament Manager
2006-09-05 11:32 -------- d-------- C:\Program Files\Jawbreaker
2006-09-05 11:31 -------- d-------- C:\Program Files\Winamp
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 17:17 7452 --a------ C:\WINDOWS\system32\sjcxiwmm.exe
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 21:39 7479 --a------ C:\WINDOWS\system32\sdarubpi.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Internet Security 2007\\APVXDWIN.EXE\" /s"
"SCANINICIO"="\"C:\\Program Files\\Panda Software\\Panda Internet Security 2007\\Inicio.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\DataViz Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\DataViz Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\DVZCOM~1\\DvzMsgr.exe "
"item"="DataViz Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Apoint\\Apoint.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ezSP_Px"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICO"
"hkey"="HKLM"
"command"="ICO.EXE"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-24 11:21:30.52
C:\ComboFix.txt ... 06-10-24 11:21


HERE IS THE SMITFRAUDFIX LOG:

SmitFraudFix v2.113

Scan done at 12:49:55.02, Tue 10/24/2006
Run from C:\Work\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\kernels64.exe FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\msvol.tlb FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\winmuse.exe FOUND !

C:\WINDOWS\system32\LogFiles
C:\Documents and Settings\WHISKEY
C:\Documents and Settings\WHISKEY\Application Data
Start Menu
C:\DOCUME~1\WHISKEY\INCOMP~1\FAVORI~1
Desktop
C:\Program Files
Corrupted keys
Desktop Components
Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
pe386-msguard-lzx32
Scanning wininet.dll infection
End

HERE IS THE SMITFRAUDFIX LOG WHEN THE FIX IS RUN IN SAFE MODE
(BUT EVERYTHING COMES BACK WHEN REBOOTED IN REGULAR MODE):

SmitFraudFix v2.113

Scan done at 12:50:37.71, Tue 10/24/2006
Run from C:\Work\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Killing process
Generic Renos Fix
GenericRenosFix by S!Ri
Deleting infected files
C:\WINDOWS\system32\kernels64.exe Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\msvol.tlb Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\winmuse.exe Deleted
Deleting Temp Files
Registry Cleaning
Registry Cleaning done.
After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
End

HIJACK THIS LOG RUN IN SAFE MODE AFTER TRYING ALL OF THE FIXES:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:47 PM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\IFACE.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PAVJOBS.EXE
C:\Work\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {1c4da27d-4d52-4465-a089-98e01bb725ca} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\RunOnce: [Panda_cleaner_326995] C:\Program Files\Panda Software\Panda Internet Security 2007\pavdr.exe 326995
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161664433341
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe


I have done everything I can think of, so ANY HELP WOULD BE APPRECIATED.

Edited by Enthusiast, 24 October 2006 - 01:56 PM.


BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:28 AM

Posted 01 November 2006 - 02:40 PM

Hi hpcomm

Welcome to BC.

Sorry about the delay.

My name is Stelios and I will be helping you to clean up your computer.

If you still need help, please post a new HijackThis log to make sure nothing has changed.

I also need to see a different type of log from Hijackthis:
Run Hijackthis.
Click on "Open the Misc Tools section".
Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file.

Place the content of that file here in your in your next reply.


Stelios

#3 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:28 AM

Posted 26 November 2006 - 06:07 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating teama PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Stelios




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users