Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Sherif And Related Unremovable Malware/problems!


  • This topic is locked This topic is locked
28 replies to this topic

#1 aerlyn02

aerlyn02

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 23 December 2006 - 09:50 PM

UPDATE: I just downloaded pandasoftware that you recommend and installed it, then restarted comp - now whenever I try to start my comp it auto shuts down!!! I can boot in safe mode however...


5pm is last night I tried to download a game and spy sheriff (a program disguising itself as anti-virus software that keeps re-installig itself + other crap no mater how many times you remove it) was downloaded, as well as a crap load of other malware, onto my comp. I have run spybot and it says it has removed everything sometimes but then other times after restart items like ‘FastClick’ and ‘AvenueA’ keep appearing as needed to be removed! When running Ad-aware and doing a full system scan no matter how many times I run it I get this Windows vulnerability thing ….’Name: Windows’ – ‘Type: RegData’ – ‘Category: Vulnerability’ – ‘Object: HKEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon”Shell” (explorer.exe, c:\windows\system32\xyqwi.exe)’ I dunno if I should go to c:\windows\system32\xyqwi.exe and try to delete xyqwi.exe? Any1 know what this is?

I also get ‘to help protect your computer, windows has closed this program … Name: Windows Explorer,” every once in a while.

I have removed spy sheriff but my comp still has major problems and is running super slow!

Have also done cleanmgr and run TrendMicro housecall scan- which failed to remove an infection it said. Housecall scan said one infection had to be removed manually, it was a yellow exclamation point listed under ‘detected vulnerabilites’ one called ‘MS04-041’ and had the message ‘an error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.’ I also ran AvertStinger and after it finished – I am assuming it removed any viruses it encountered – it says ‘number of clean files: 181252’ when before it said only ‘number of clean files: 753’.

Now upon regular start up of my computer – not in safe mode – I get the message titled ‘RUNDLL’ and it says ‘Error loading w0026e8f.dll. The specified module could not be found.’

When I try to click on my firewall in control panel I get the message 'Due to an unidentified problem, Windows cannot display Windows Firewall Settings.' Also before when I would try to click anything in my control panel, even the add/remove programs icon - I would get the message cannot locate rundll32.exe - I went to system32 folder and my rundll32.exe was renamed with abunch of numbers and a .pf at the end + says it was changed last night at the time the virus was downloaded - I renamed it to the exe again and can now open icons in my control panel again except for the firewall!

Also random icons will appear on my desktop – like ‘21.com’ and ‘Click to Find and Fix Errors’. Windows defender also starts upon loading of windows and every once in a while it pops us saying 'WebNexus' and 'Click.Spring.Purity.SCAN' need to be removed - I click remove but they always come back. Then after a bit Windows Defender encounters an error and can’t continue so I just close it. I have tried numerous things trying to remove things in the regedit but I am having so much trouble!! Also my computer desktop background was deleted – it is just blue now. I have all the Windows updates and security updates on my computer as well.

Please post if you can help!! Here is my hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 6:35:45 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\msasvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tccpip.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SSTEM~1\logonui.exe
C:\Documents and Settings\Christine\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R3 - URLSearchHook: (no name) - {8B8701B7-ED50-9FDD-7752-EF5B265836CE} - C:\WINDOWS\system32\ajpxjib.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,itxbtwr.exe
O3 - Toolbar: Snipestation2 - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - C:\Program Files\SnipeStation V2\Snipebar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] c:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ggekio] C:\WINDOWS\system32\hpasiq.exe reg_run
O4 - HKLM\..\Run: [qae2a397] RUNDLL32.EXE w0026e8f.dll,n 0072a390000000050026e8f
O4 - HKLM\..\Run: [win32096208037999] C:\WINDOWS\win32096208037999.exe
O4 - HKLM\..\Run: [{7C00145C-0C80-1033-0313-050408120001}] "C:\Program Files\Common Files\{7C00145C-0C80-1033-0313-050408120001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Vuvds] C:\Documents and Settings\Christine\Application Data\?asks\spool32.exe
O4 - HKCU\..\Run: [ddklk] C:\WINDOWS\system32\hpasiq.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Widp] "C:\WINDOWS\system32\SSTEM~1\logonui.exe" -vt ndrv
O4 - Global Startup: ywltp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149566395765
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Edited by aerlyn02, 23 December 2006 - 10:52 PM.


BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 24 December 2006 - 12:08 AM

• Re-name HijackThis.exe to doggy.exe by doing the following:
- Navigate to C:\Documents and Settings\Christine\Desktop\hijackthis\HijackThis.exe
- Right-click onto HijackThis.exe and select "Rename"
- Type doggy.exe and hit Enter.

• Now, double-click onto doggy.exe (which is still hijackthis) and post back with the new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 24 December 2006 - 12:29 AM

okay I went to the location you specified and renamed to doggy.exe, clicked, ran and here is the log....

Logfile of HijackThis v1.99.1
Scan saved at 12:27:12 AM, on 12/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Christine\Desktop\hijackthis\doggy.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R3 - URLSearchHook: (no name) - {8B8701B7-ED50-9FDD-7752-EF5B265836CE} - C:\WINDOWS\system32\ajpxjib.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xyqwi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,itxbtwr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: (no name) - {2A484F5B-F91E-4E47-A13D-FB580EF5EB5B} - C:\WINDOWS\system32\fccawxw.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\pywjtdru.dll (file missing)
O2 - BHO: (no name) - {45E1A125-41A3-4253-A5EC-3354A4E7C56D} - (no file)
O2 - BHO: (no name) - {57AC27C5-1BAE-4AA3-91FE-F7CFA84F9E6B} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {8B8701B7-ED50-9FDD-7752-EF5B265836CE} - C:\WINDOWS\system32\ajpxjib.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Snipestation2 - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - C:\Program Files\SnipeStation V2\Snipebar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] c:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ggekio] C:\WINDOWS\system32\hpasiq.exe reg_run
O4 - HKLM\..\Run: [qae2a397] RUNDLL32.EXE w0026e8f.dll,n 0072a390000000050026e8f
O4 - HKLM\..\Run: [win32096208037999] C:\WINDOWS\win32096208037999.exe
O4 - HKLM\..\Run: [{7C00145C-0C80-1033-0313-050408120001}] "C:\Program Files\Common Files\{7C00145C-0C80-1033-0313-050408120001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvfef.dll,startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Vuvds] C:\Documents and Settings\Christine\Application Data\?asks\spool32.exe
O4 - HKCU\..\Run: [ddklk] C:\WINDOWS\system32\hpasiq.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Widp] "C:\WINDOWS\system32\SSTEM~1\logonui.exe" -vt ndrv
O4 - Global Startup: ywltp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149566395765
O20 - Winlogon Notify: fccawxw - C:\WINDOWS\SYSTEM32\fccawxw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

#4 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 24 December 2006 - 01:31 AM

Hi,

Your system is badly infected. Please follow these instructions in the order given. This is very important. Also, please follow these steps in one sitting, that is, do NOT begin and then finish later.

First thing is that you need to install an anti-virus program. Trying to clean your system without an AV will just have us going in circles since you probably will get reinfected without an AV.
Active Virus Shield -or- AntiVir® -or- Avast are good FREE
Anti-Virus programs.
Never install more than one Anti-Virus scanner on your system! Having more than one AV installed will likely cause your system to become unstable and seriously decrease the reliable detection of any malware.
Let your Anti-Virus perform a full scan and let it delete everything it finds.
__________________________________________

• Open Notepad and copy and paste the text inside the codebox into Notepad:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{B0F6B85A-03A4-1033-1119-020207100001}"=-

- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- (On your desktop, it must look like a white sheet with little green boxes on it.)
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

• Reboot your computer.
__________________________________________

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, unselect the Turn on real-time protection check box
* Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.
__________________________________________

• Please download VundoFix.exe and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.
_____________________________________________

• Download SmitfraudFix by S!ri and save it to your dekstop.
Double-click onto SmitFraudFix.exe and a folder named SmitfraudFix will be created on your Desktop.

• Please download the trial version of Ewido Anti-Malware
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and uncheck Install scan via context menu.
  • During installation, when you update Ewido for the first time, you may get a warning "Database could not be found!". Just click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once the updating is completed, close/exit Ewido.

• Open the SmitfraudFix folder and double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns, so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt on the root of your drive, e.g.: Local Disk C: or partition where your operating system is installed. You will be requested to post this log in your next reply along with any other requested logs.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
____________________________________________

• Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
_______________________________________________

• Post back with the C:\vundofix.txt, the rapport.txt log and the [b]combofix.txt
log and a new HijackThis log.

Edited by waterfalls, 24 December 2006 - 01:33 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 24 December 2006 - 10:49 PM

Okay I am having a some problems with step 1 - AntiVir didn't work cause its not compatibile with win media center, which is what I have, or there was another problem because I got many errors. Avast I was able to download and install but did not show up in my start menu - however, I was able to find it under program files but all the icons I clicked on to start the program or scan said the key expired or was invalid. Finally I was able to download and install Active Virus shield (after uninstalling the other 2) but I have typed in my email address so many times on the site and I STILL have not recieved, after 24 hours and trying mulitple email addresses, a liscene key so I can't run the scan...

Are there other anti-virus prog you sugesst I download and run? Or should I just continue on with the steps you outlined in order?? This is so frustrating!!

#6 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 25 December 2006 - 12:11 AM

I'm sorry you had problems with the anti-virus programs. It's the first time I've heard of the problems you experienced. Another AV program is AVG Free Anti-Virus:
http://free.grisoft.com/freeweb.php/doc/2/
Download and install it and then scan with it. Hopefully, you shouldn't experience any problems.

Also, please note that the following is a revision of one of the steps. I inadvertently instructed you to download Ewido, but the program is now called AVG Anti-Spyware. It is the same website, but I don't want the instructions to be confusing.

So, after you download SmitfraudFix, the next step is:

• Download and install AVG Anti-Spyware 7.5.
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done.
DO NOT perform a scan yet.

Then, open the SmitFraudFix folder and follow the rest of the posted instructions.

Edited by waterfalls, 25 December 2006 - 12:12 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 25 December 2006 - 03:26 PM

Okay - finally, AVG worked 4 me and here are my 3 logs and the new hijackthis log!!




VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.8

Scan started at 2:57:47 PM 12/25/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.bak2 Has been deleted!

Performing Repairs to the registry.
Done!









SmitFraudFix v2.131

Scan done at 15:15:52.40, Mon 12/25/2006
Run from C:\Documents and Settings\Christine\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christine


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christine\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End













Christine - 06-12-25 15:17:54.40 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Christine\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Christine\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{3C00145C-0C80-1033-0313-050408120001}
C:\Program Files\Common Files\{7C00145C-0C80-1033-0313-050408120001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\WINDOWS\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1\SSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-25 to 2006-12-25 ))))))))))))))))))))))))))))))))))


2006-12-25 15:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-25 15:07 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-25 14:57 <DIR> d-------- C:\VundoFix Backups
2006-12-25 13:56 88,340 --a------ C:\WINDOWS\system32\dsvawvhd.exe
2006-12-25 13:43 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-25 13:42 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\AVG7
2006-12-25 13:41 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-25 13:41 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-25 13:41 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-25 13:41 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-25 13:41 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-25 13:41 <DIR> d-------- C:\Program Files\Grisoft
2006-12-25 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-25 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-25 13:37 <DIR> d--hs---- C:\Config.Msi
2006-12-24 14:10 <DIR> d-------- C:\Program Files\AOL Security Toolbar
2006-12-24 13:33 <DIR> d-------- C:\Program Files\Alwil Software
2006-12-24 09:17 58,880 --a------ C:\WINDOWS\system32\gfeo.dll
2006-12-24 09:17 22,541 --ahs---- C:\WINDOWS\system32\khfdaay.dll
2006-12-23 22:43 92,544 --a------ C:\WINDOWS\system32\drivers\av5flt.sys
2006-12-23 22:28 <DIR> d-------- C:\Program Files\Panda Software
2006-12-23 22:28 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2006-12-23 21:46 22,541 --ahs---- C:\WINDOWS\system32\fccdbyw.dll
2006-12-23 21:43 <DIR> d-------- C:\Program Files\VSAdd-in
2006-12-23 15:26 <DIR> d-------- C:\Documents and Settings\Christine\.housecall6.6
2006-12-23 11:35 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2006-12-23 10:26 <DIR> d--h----- C:\Program Files\BHO Plugin
2006-12-22 23:27 22,541 --ahs---- C:\WINDOWS\system32\hgghhef.dll
2006-12-22 23:21 <DIR> d-------- C:\WINDOWS\pss
2006-12-22 23:09 <DIR> d--hs---- C:\WINDOWS\CSC
2006-12-22 19:07 22,541 --ahs---- C:\WINDOWS\system32\fccawxw.dll
2006-12-22 19:07 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\çasks
2006-12-22 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-22 19:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-22 17:24 3,726 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-22 17:19 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-22 17:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-22 17:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-22 17:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-22 17:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-22 17:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-22 16:35 183,808 --a-s---- C:\WINDOWS\NDNuninstall7_48.exe
2006-12-22 16:34 17,920 --a------ C:\WINDOWS\system32\tccpip.exe
2006-12-22 16:33 274,944 --a------ C:\WINDOWS\system32\byxfhicmet.exe
2006-12-22 16:33 15 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2006-12-22 16:32 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-12-22 16:32 288 --a------ C:\WINDOWS\fkgaa.dll
2006-12-22 16:26 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\SlySoft
2006-12-21 16:59 35,144 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-12-21 16:59 15,440 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2006-12-21 16:59 11,984 --a------ C:\WINDOWS\system32\drivers\RegKill.sys
2006-12-21 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2006-12-20 08:36 8,413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2006-12-20 08:36 <DIR> d-------- C:\Program Files\Common Files\Real
2006-12-20 08:36 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Real
2006-12-20 08:35 <DIR> d-------- C:\Program Files\Rhapsody
2006-12-19 18:33 <DIR> d-------- C:\Program Files\Real
2006-12-13 18:41 11,984 --a------ C:\WINDOWS\system32\drivers\ElbyDelay.sys
2006-12-13 15:24 89,296 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2006-12-11 12:34 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Google
2006-12-11 12:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2006-12-11 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-12-10 10:28 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-07 19:06 <DIR> d-------- C:\Program Files\Windows Defender
2006-12-03 11:24 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\SecondLife
2006-12-02 00:14 <DIR> d-------- C:\Program Files\SecondLife
2006-12-01 20:18 8,704 --a------ C:\WINDOWS\system32\wnaspi32.dll
2006-11-30 22:52 <DIR> d-------- C:\Program Files\Novosoft
2006-11-30 22:52 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Novosoft
2006-11-30 22:50 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Ahead
2006-11-30 22:36 <DIR> d-------- C:\Program Files\ASCOMP Software
2006-11-30 19:25 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\eFax Messenger
2006-11-30 08:29 <DIR> d-------- C:\Program Files\Market Research Wizard
2006-11-28 19:47 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\acccore
2006-11-28 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2006-11-28 19:46 <DIR> d-------- C:\Program Files\Viewpoint
2006-11-28 19:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2006-11-28 19:46 <DIR> d-------- C:\Program Files\AIM6
2006-11-28 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-11-28 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-12-25 15:21 -------- d-------- C:\Program Files\Common Files
2006-12-25 15:19 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-23 23:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-23 22:28 -------- d-------- C:\Program Files\iTunes
2006-12-23 16:20 -------- d-------- C:\Program Files\DAEMON Tools
2006-12-21 17:01 -------- d-------- C:\Documents and Settings\Christine\Application Data\Azureus
2006-12-21 12:22 -------- d-------- C:\Program Files\Elaborate Bytes
2006-12-21 12:21 -------- d-------- C:\Program Files\SlySoft
2006-12-21 01:06 125 ---hs---- C:\Documents and Settings\Christine\Application Data\.zreglib
2006-12-20 08:50 -------- d-------- C:\Program Files\Azureus
2006-12-20 08:44 -------- d-------- C:\Documents and Settings\Christine\Application Data\tunebite
2006-12-19 18:51 142 --a------ C:\Program Files\page.html
2006-12-15 22:16 -------- d-------- C:\Documents and Settings\Christine\Application Data\Canon
2006-12-15 15:30 -------- d-------- C:\Program Files\Windows Media Player
2006-12-15 15:28 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 15:28 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 18:02 -------- d-------- C:\Program Files\DVDFab Decrypter 3
2006-12-11 12:33 -------- d-------- C:\Program Files\Internet Explorer
2006-12-11 12:29 -------- d-------- C:\Program Files\Google
2006-12-06 23:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-12-01 20:08 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-28 19:52 -------- d-------- C:\Program Files\AIM
2006-11-28 19:52 -------- d-------- C:\Documents and Settings\Christine\Application Data\Aim
2006-11-28 19:46 -------- d-------- C:\Documents and Settings\Christine\Application Data\Mozilla
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-11-17 23:50 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 14:07 -------- d-------- C:\Program Files\OverDrive Media Console
2006-10-31 20:29 -------- d-------- C:\Documents and Settings\Christine\Application Data\dvdcss
2006-10-29 21:17 -------- d-------- C:\Program Files\DVDFab
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --a------ C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --a------ C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --a------ C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --a------ C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"Vuvds"="C:\\Documents and Settings\\Christine\\Application Data\\?asks\\spool32.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Widp"="\"C:\\WINDOWS\\system32\\SSTEM~1\\logonui.exe\" -vt tzt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"CreateCD_Reminder"="C:\\WINDOWS\\Sonysys\\VAIO Recovery\\reminder.exe"
"VAIO Update 2"="\"C:\\Program Files\\Sony\\VAIO Update 2\\VAIOUpdt.exe\" /Stationary"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"VAIO Recovery"="c:\\WINDOWS\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"qae2a397"="RUNDLL32.EXE w0026e8f.dll,n 0072a390000000050026e8f"
"win32096208037999"="C:\\WINDOWS\\win32096208037999.exe"
"{7C00145C-0C80-1033-0313-050408120001}"="\"C:\\Program Files\\Common Files\\{7C00145C-0C80-1033-0313-050408120001}\\Update.exe\" mc-110-12-0000272"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Service Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\80\\Tools\\Binn\\sqlmangr.exe /n"
"item"="Service Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ywltp.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ywltp.exe"
"backup"="C:\\WINDOWS\\pss\\ywltp.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ywltp.exe"
"item"="ywltp"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCWZRD"
"hkey"="HKLM"
"command"="ALCWZRD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\byxfhicmet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="byxfhicmet"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\byxfhicmet.exe byxfhicmet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvwow"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvwow.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddklk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpasiq"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\hpasiq.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hbagent"
"hkey"="HKCU"
"command"="C:\\Program Files\\Novosoft\\Handy Backup\\hbagent.exe -logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAudPropShortcut"
"hkey"="HKLM"
"command"="HDAudPropShortcut.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OpwareSE2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spoolsvv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spoolsvv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="504906"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\CHRIST~1\\LOCALS~1\\Temp\\504906.exe \" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpgrade]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="493656"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\CHRIST~1\\LOCALS~1\\Temp\\493656.exe \" "
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxtx32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-12-25 15:22:05.45
C:\ComboFix.txt ... 06-12-25 15:22














Logfile of HijackThis v1.99.1
Scan saved at 3:25:31 PM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tccpip.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Christine\Application Data\?asks\spool32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Christine\Desktop\hijackthis\doggy.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R3 - URLSearchHook: (no name) - {D2EB4E0F-ABBE-8764-9CF9-F5FA4CAE6899} - C:\WINDOWS\system32\gfeo.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xyqwi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,itxbtwr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16188497-F7FB-4B5C-B5A2-59A482D62A6D} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\pywjtdru.dll (file missing)
O2 - BHO: (no name) - {45E1A125-41A3-4253-A5EC-3354A4E7C56D} - (no file)
O2 - BHO: (no name) - {5AF4A7D2-42B1-4A2B-A733-7E78CE00DC92} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D2EB4E0F-ABBE-8764-9CF9-F5FA4CAE6899} - C:\WINDOWS\system32\gfeo.dll
O3 - Toolbar: Snipestation2 - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - C:\Program Files\SnipeStation V2\Snipebar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] c:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [qae2a397] RUNDLL32.EXE w0026e8f.dll,n 0072a390000000050026e8f
O4 - HKLM\..\Run: [win32096208037999] C:\WINDOWS\win32096208037999.exe
O4 - HKLM\..\Run: [{7C00145C-0C80-1033-0313-050408120001}] "C:\Program Files\Common Files\{7C00145C-0C80-1033-0313-050408120001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Vuvds] C:\Documents and Settings\Christine\Application Data\?asks\spool32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Widp] "C:\WINDOWS\system32\SSTEM~1\logonui.exe" -vt tzt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149566395765
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Edited by aerlyn02, 25 December 2006 - 03:30 PM.


#8 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 26 December 2006 - 06:14 AM

Hi,

Please follow these directions exactly and in the order given. It is very important that you do this. Again, you need to work through these steps in one sitting - not to start and finish later.

First, we need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, unselect the Turn on real-time protection check box
* Click Save.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R3 - URLSearchHook: (no name) - {D2EB4E0F-ABBE-8764-9CF9-F5FA4CAE6899} - C:\WINDOWS\system32\gfeo.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xyqwi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,itxbtwr.exe
O2 - BHO: (no name) - {16188497-F7FB-4B5C-B5A2-59A482D62A6D} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\pywjtdru.dll (file missing)
O2 - BHO: (no name) - {45E1A125-41A3-4253-A5EC-3354A4E7C56D} - (no file)
O2 - BHO: (no name) - {5AF4A7D2-42B1-4A2B-A733-7E78CE00DC92} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: (no name) - {D2EB4E0F-ABBE-8764-9CF9-F5FA4CAE6899} - C:\WINDOWS\system32\gfeo.dll
O4 - HKLM\..\Run: [qae2a397] RUNDLL32.EXE w0026e8f.dll,n 0072a390000000050026e8f
O4 - HKLM\..\Run: [win32096208037999] C:\WINDOWS\win32096208037999.exe
O4 - HKLM\..\Run: [{7C00145C-0C80-1033-0313-050408120001}] "C:\Program Files\Common Files\{7C00145C-0C80-1033-0313-050408120001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [Vuvds] C:\Documents and Settings\Christine\Application Data\?asks\spool32.exe
O4 - HKCU\..\Run: [Widp] "C:\WINDOWS\system32\SSTEM~1\logonui.exe" -vt tzt
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll (file missing)
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

• Download rustbfix.exe and save it to your Desktop.
1. Double-click on rustbfix.exe to run the tool.
2. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while and, perhaps, 2 reboots will be needed but this will happen automatically.
3. After the reboot, 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log in your next reply.

Note: After your computer reboots, Windows Defender's real-time protection may be re-enabled. CHECK to see if it has been re-enabled and, if so, disable it again following the above steps.

• Run Combofix again. As a reminder:
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

• Post back with the logs from rustbfix, the new combofix.txt log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 26 December 2006 - 10:45 AM

I had followed the previous instructions to a T, I believe anyway, so windows defender real time protection was already disabled. I did the hijackthis fix of the items you listed but I have been trying for like 20 minutes now to download the rustbfix (and have tried on different comps) with no sucess - the page keeps timing out, so now I am stuck and have completed the first step without doing all the others in one sitting :/ UGH! not sure what I should do really? Maybe ejvindh's servers/web host are down or something? should I just wait and try to download it again later + if I do that should I start from the beginning of your instructions again and see if any of those items I 'fixed' in hijackthis are back?


UPDATE: SOME1 PMed me an alternate link to the the rustbfix so I'm good and will post the requested logs when finished...

Edited by aerlyn02, 26 December 2006 - 11:36 AM.


#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 26 December 2006 - 01:22 PM

Hi,

That's fine. The server may have been down for a bit for maintenance because I just tried it and rustbfix.exe popped up for downloading.

Do me a favor and post the alternate link that you received from someone else. As a precaution, do you know and trust the person you received the alternate link from via PM?

So, just continue and run rustbfix.exe and then post the logs. I'll be online for a while. It seems like today being the day after Christmas is the day people turned their attention back to their infected computers, so I'll be working on logs for a while... :thumbsup:

Edit... If you haven't run the rustbfix.exe that you downloaded from the alternate site, I'd feel more comfortable if you tried to download it from the link I posted and then run that file.

Edited by waterfalls, 26 December 2006 - 01:46 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 26 December 2006 - 03:50 PM

The person who PMed me the link was tata1959 - don't know them - and the link was http://cybertrash.pl/downloads.php?cat_id=...;download_id=39 - I had downloaded but did not run it. I deleted it and downloaded the link to rustbfix u provided now that its working and ran that instead. I will edit this message and post the logs...


Here are the logs from the Rustbfix - I believe they are good and not infected now but I'll post just in case...

************************* Rustock.b-fix -- By ejvindh *************************
Tue 12/26/2006 15:55:31.40

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69550
Total size: 69550 bytes.
Attempting to remove ADS...
system32: deleted 69550 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nygrmmvn

*******************

Script file located at: \??\C:\WINDOWS\onofcvwa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.







Christine - 06-12-26 16:03:36.15 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Christine\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\WINDOWS\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1\SSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-26 to 2006-12-26 ))))))))))))))))))))))))))))))))))


2006-12-26 15:59 <DIR> d-------- C:\avenger
2006-12-26 15:55 <DIR> d-------- C:\Rustbfix
2006-12-25 15:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-25 15:07 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-25 14:57 <DIR> d-------- C:\VundoFix Backups
2006-12-25 13:56 88,340 --a------ C:\WINDOWS\system32\dsvawvhd.exe
2006-12-25 13:43 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-25 13:42 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\AVG7
2006-12-25 13:41 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-25 13:41 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-25 13:41 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-25 13:41 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-25 13:41 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-25 13:41 <DIR> d-------- C:\Program Files\Grisoft
2006-12-25 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-25 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-25 13:37 <DIR> d--hs---- C:\Config.Msi
2006-12-24 14:10 <DIR> d-------- C:\Program Files\AOL Security Toolbar
2006-12-24 13:33 <DIR> d-------- C:\Program Files\Alwil Software
2006-12-24 09:17 22,541 --ahs---- C:\WINDOWS\system32\khfdaay.dll
2006-12-23 22:43 92,544 --a------ C:\WINDOWS\system32\drivers\av5flt.sys
2006-12-23 22:28 <DIR> d-------- C:\Program Files\Panda Software
2006-12-23 22:28 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2006-12-23 21:46 22,541 --ahs---- C:\WINDOWS\system32\fccdbyw.dll
2006-12-23 21:43 <DIR> d-------- C:\Program Files\VSAdd-in
2006-12-23 15:26 <DIR> d-------- C:\Documents and Settings\Christine\.housecall6.6
2006-12-23 11:35 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2006-12-23 10:26 <DIR> d--h----- C:\Program Files\BHO Plugin
2006-12-22 23:27 22,541 --ahs---- C:\WINDOWS\system32\hgghhef.dll
2006-12-22 23:21 <DIR> d-------- C:\WINDOWS\pss
2006-12-22 23:09 <DIR> d--hs---- C:\WINDOWS\CSC
2006-12-22 19:07 22,541 --ahs---- C:\WINDOWS\system32\fccawxw.dll
2006-12-22 19:07 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\çasks
2006-12-22 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-22 19:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-22 17:24 3,726 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-22 17:19 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-22 17:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-22 17:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-22 17:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-22 17:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-22 17:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-22 16:35 183,808 --a-s---- C:\WINDOWS\NDNuninstall7_48.exe
2006-12-22 16:34 17,920 --a------ C:\WINDOWS\system32\tccpip.exe
2006-12-22 16:33 274,944 --a------ C:\WINDOWS\system32\byxfhicmet.exe
2006-12-22 16:33 15 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2006-12-22 16:32 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-12-22 16:32 288 --a------ C:\WINDOWS\fkgaa.dll
2006-12-22 16:26 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\SlySoft
2006-12-21 16:59 35,144 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-12-21 16:59 15,440 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2006-12-21 16:59 11,984 --a------ C:\WINDOWS\system32\drivers\RegKill.sys
2006-12-21 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2006-12-20 08:36 8,413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2006-12-20 08:36 <DIR> d-------- C:\Program Files\Common Files\Real
2006-12-20 08:36 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Real
2006-12-20 08:35 <DIR> d-------- C:\Program Files\Rhapsody
2006-12-19 18:33 <DIR> d-------- C:\Program Files\Real
2006-12-13 18:41 11,984 --a------ C:\WINDOWS\system32\drivers\ElbyDelay.sys
2006-12-13 15:24 89,296 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2006-12-11 12:34 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Google
2006-12-11 12:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2006-12-11 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-12-10 10:28 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-07 19:06 <DIR> d-------- C:\Program Files\Windows Defender
2006-12-03 11:24 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\SecondLife
2006-12-02 00:14 <DIR> d-------- C:\Program Files\SecondLife
2006-12-01 20:18 8,704 --a------ C:\WINDOWS\system32\wnaspi32.dll
2006-11-30 22:52 <DIR> d-------- C:\Program Files\Novosoft
2006-11-30 22:52 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Novosoft
2006-11-30 22:50 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Ahead
2006-11-30 22:36 <DIR> d-------- C:\Program Files\ASCOMP Software
2006-11-30 19:25 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\eFax Messenger
2006-11-30 08:29 <DIR> d-------- C:\Program Files\Market Research Wizard
2006-11-28 19:47 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\acccore
2006-11-28 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2006-11-28 19:46 <DIR> d-------- C:\Program Files\Viewpoint
2006-11-28 19:46 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2006-11-28 19:46 <DIR> d-------- C:\Program Files\AIM6
2006-11-28 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-11-28 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-26 16:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-25 15:21 -------- d-------- C:\Program Files\Common Files
2006-12-23 23:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-23 22:28 -------- d-------- C:\Program Files\iTunes
2006-12-23 16:20 -------- d-------- C:\Program Files\DAEMON Tools
2006-12-21 17:01 -------- d-------- C:\Documents and Settings\Christine\Application Data\Azureus
2006-12-21 12:22 -------- d-------- C:\Program Files\Elaborate Bytes
2006-12-21 12:21 -------- d-------- C:\Program Files\SlySoft
2006-12-21 01:06 125 ---hs---- C:\Documents and Settings\Christine\Application Data\.zreglib
2006-12-20 08:50 -------- d-------- C:\Program Files\Azureus
2006-12-20 08:44 -------- d-------- C:\Documents and Settings\Christine\Application Data\tunebite
2006-12-19 18:51 142 --a------ C:\Program Files\page.html
2006-12-15 22:16 -------- d-------- C:\Documents and Settings\Christine\Application Data\Canon
2006-12-15 15:30 -------- d-------- C:\Program Files\Windows Media Player
2006-12-15 15:28 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 15:28 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 18:02 -------- d-------- C:\Program Files\DVDFab Decrypter 3
2006-12-11 12:33 -------- d-------- C:\Program Files\Internet Explorer
2006-12-11 12:29 -------- d-------- C:\Program Files\Google
2006-12-06 23:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-12-01 20:08 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-28 19:52 -------- d-------- C:\Program Files\AIM
2006-11-28 19:52 -------- d-------- C:\Documents and Settings\Christine\Application Data\Aim
2006-11-28 19:46 -------- d-------- C:\Documents and Settings\Christine\Application Data\Mozilla
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-11-17 23:50 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 14:07 -------- d-------- C:\Program Files\OverDrive Media Console
2006-10-31 20:29 -------- d-------- C:\Documents and Settings\Christine\Application Data\dvdcss
2006-10-29 21:17 -------- d-------- C:\Program Files\DVDFab
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --a------ C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --a------ C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --a------ C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --a------ C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"CreateCD_Reminder"="C:\\WINDOWS\\Sonysys\\VAIO Recovery\\reminder.exe"
"VAIO Update 2"="\"C:\\Program Files\\Sony\\VAIO Update 2\\VAIOUpdt.exe\" /Stationary"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"VAIO Recovery"="c:\\WINDOWS\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Service Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\80\\Tools\\Binn\\sqlmangr.exe /n"
"item"="Service Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ywltp.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ywltp.exe"
"backup"="C:\\WINDOWS\\pss\\ywltp.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ywltp.exe"
"item"="ywltp"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCWZRD"
"hkey"="HKLM"
"command"="ALCWZRD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\byxfhicmet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="byxfhicmet"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\byxfhicmet.exe byxfhicmet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvwow"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvwow.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddklk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpasiq"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\hpasiq.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hbagent"
"hkey"="HKCU"
"command"="C:\\Program Files\\Novosoft\\Handy Backup\\hbagent.exe -logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAudPropShortcut"
"hkey"="HKLM"
"command"="HDAudPropShortcut.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OpwareSE2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spoolsvv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spoolsvv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="504906"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\CHRIST~1\\LOCALS~1\\Temp\\504906.exe \" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpgrade]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="493656"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\CHRIST~1\\LOCALS~1\\Temp\\493656.exe \" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-12-26 16:05:14.46
C:\ComboFix.txt ... 06-12-26 16:05
C:\ComboFix2.txt ... 06-12-25 15:23





Logfile of HijackThis v1.99.1
Scan saved at 4:06:26 PM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tccpip.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Documents and Settings\Christine\Desktop\hijackthis\doggy.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Snipestation2 - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - C:\Program Files\SnipeStation V2\Snipebar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] c:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149566395765
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe



DAMN - that freaking O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll won't go away... :/

Edited by aerlyn02, 26 December 2006 - 04:07 PM.


#12 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 27 December 2006 - 03:59 PM

I've been running AVG and it says that its not finding anything but Ad-Aware keeps finding this Adware.BHO and I can't get rid of it... I mean my comp seems to be running almost back to normal speed and its not doing the auto-shut down or anything but I still can't open my firewall ...

#13 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 PM

Posted 28 December 2006 - 12:12 AM

Yeah, that O2 is stubborn.
  • Please click Start > Run > and type Regedit
  • Click OK and wait for the Registry Editor to open
  • Now, please click on File and then Export
  • This will bring up the Export Registry File window
  • At the bottom of which you will see an option for Export range
  • Click the option for Selected branch and in the field underneath that, copy and paste:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  • Enter a file name of Run, and save the file to your Desktop
  • Now go to your Desktop, right click on the file you have created, select Open With and choose Notepad.
  • Copy the contents of that file into this thread.
• Go to Start > Control Panel > Add/Remove Programs
- See if BHO Plugin is listed
- If it is, select it > click Remove
- Exit

• Reboot your computer.

• Whether it was listed or not, navigate to and delete the folder if present:
C:\Program Files\BHO Plugin

• Reboot your computer.

• Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply and a new HijackThis log.

Edited by waterfalls, 28 December 2006 - 12:26 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#14 aerlyn02

aerlyn02
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 28 December 2006 - 04:02 PM

Okay for some reason my windows clock is really messed up now too :/ It is displaying military time and the date 6-12-28 when I hover over the time displayed in the corner but when I open the time/clock settings and select the current date and year, it still displays 6-12-28 when I hover over it ...

The BHO plugin was not listed in add/remove programs and not under prog files either but I went to c:\program files\bho plugin and found it - I clicked the uninstall and it prompted me to restart my comp so when it booted up again I directed to the folder again but one of the BHO's is still there and I can't delete it... 'access denied' message is displayed

Here is the info from the regedit that I opened into notepad as you asked...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]


I ran SUPERAntiSpyware and GEEZ! It picked up sooo much stuff that ad-aware, trend housecall online scan and AVG didn't!! 132 items! Now when I go to the BHO Plugin folder under program files its empty! I'm keeping my fingers crossed but I hope this fixed it! Anyway here is the statistics log data from the scan...

SUPERAntiSpyware Scan Log
Generated 12/28/2006 at 04:35 PM

Application Version : 3.4.1000

Core Rules Database Version : 3155
Trace Rules Database Version: 1171

Scan type : Complete Scan
Total Scan Time : 00:31:38

Memory items scanned : 499
Memory threats detected : 1
Registry items scanned : 7229
Registry threats detected : 64
File items scanned : 38242
File threats detected : 92

Trojan.BHOPlugin/Terp
C:\WINDOWS\SYSTEM32\TCCPIP.EXE
C:\WINDOWS\SYSTEM32\TCCPIP.EXE
HKLM\System\ControlSet001\Services\TCP and UDP Supp0rt
HKLM\System\ControlSet002\Services\TCP and UDP Supp0rt
HKLM\System\ControlSet003\Services\TCP and UDP Supp0rt
HKLM\System\CurrentControlSet\Services\TCP and UDP Supp0rt
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP_AND_UDP_SUPP0RT\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#Type
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#Start
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt#Description
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Security
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TCP and UDP Supp0rt\Enum#NextInstance
C:\DOCUMENTS AND SETTINGS\CHRISTINE\DESKTOP\HIJACKTHIS\BACKUPS\BACKUP-20061226-103213-810.DLL
C:\DOCUMENTS AND SETTINGS\CHRISTINE\DESKTOP\HIJACKTHIS\BACKUPS\BACKUP-20061226-155446-233.DLL
C:\DOCUMENTS AND SETTINGS\CHRISTINE\DESKTOP\HIJACKTHIS\BACKUPS\BACKUP-20061226-155502-861.DLL
C:\DOCUMENTS AND SETTINGS\CHRISTINE\DESKTOP\HIJACKTHIS\BACKUPS\BACKUP-20061228-034034-821.DLL
C:\DOCUMENTS AND SETTINGS\CHRISTINE\LOCAL SETTINGS\TEMP\UNINSTALL.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN27.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\818L19C7\PLUGIN[1].DLL
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN21.EXE
C:\PROGRAM FILES\BHO PLUGIN\PLUGIN.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028834.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028844.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028848.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028874.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028875.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028953.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028956.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028957.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028958.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032003.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032005.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032006.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP454\A0035197.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP456\A0035255.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP456\A0035256.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP458\A0040564.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP462\A0046998.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP462\A0046999.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP462\A0047017.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP464\A0047072.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP464\A0047073.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP476\A0047690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP476\A0047691.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP476\A0047697.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP476\A0047698.DLL
C:\WINDOWS\Prefetch\TCCPIP.EXE-08B79B02.pf

Adware.Tracking Cookie
C:\Documents and Settings\Christine\Cookies\christine@count3.exitexchange[1].txt
C:\Documents and Settings\Christine\Cookies\christine@cpvfeed[2].txt
C:\Documents and Settings\Christine\Cookies\christine@count4.exitexchange[1].txt
C:\Documents and Settings\Christine\Cookies\christine@exitexchange[1].txt
C:\Documents and Settings\Christine\Cookies\christine@count1.exitexchange[1].txt
C:\Documents and Settings\Christine\Cookies\christine@www.googleadservices[1].txt
C:\Documents and Settings\Christine\Cookies\christine@atwola[1].txt

Adware.HBHelper
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID

Unclassified.Unknown Origin
HKCR\CLSID\{9BB5B49C-0D59-418D-A6A5-F6373B8FEF64}
HKCR\CLSID\{9BB5B49C-0D59-418D-A6A5-F6373B8FEF64}\InProcServer32
HKCR\CLSID\{9BB5B49C-0D59-418D-A6A5-F6373B8FEF64}\InProcServer32#ThreadingModel
C:\DOCUMENTS AND SETTINGS\CHRISTINE\DESKTOP\HIJACKTHIS\BACKUPS\BACKUP-20061226-103214-318.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032021.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP458\A0040550.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP461\A0044744.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP461\A0045770.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP462\A0046997.DLL

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032023.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP453\A0035165.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP458\A0040552.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP462\A0046930.EXE

Adware.FullContext
HKU\.DEFAULT\Software\PadsysAssistant
HKU\S-1-5-19\Software\PadsysAssistant
HKU\S-1-5-20\Software\PadsysAssistant
HKU\S-1-5-18\Software\PadsysAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{04CDB16C-AB38-43CD-A86A-6FEB90290939}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028836.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028841.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028931.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028945.EXE

Adware.IPWins
HKU\S-1-5-21-1979502870-1228876743-413290478-1005\Software\IpWins

Trojan.Downloader-IBM/Shell
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#DeviceDesc

Trojan.BHOPlugin/Terp-Installer
C:\DOCUMENTS AND SETTINGS\CHRISTINE\LOCAL SETTINGS\TEMP\ALKDFJAAVU.EXE

Adware.DeluxeCommunications
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\UA3.TMP

Adware.MSUpdate
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\DESKTOP\21.COM.LNK
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\FAVORITES\21.COM.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028835.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028842.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP452\A0034139.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP468\A0047462.LNK
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\21.COM.LNK

Trojan.Hacktool
C:\RECYCLER\S-1-5-18\DC1\SYSTEM.DLL

Adware.WhenU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP425\A0025246.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP434\A0026345.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP453\A0035176.EXE

Trojan.YourEnhancement
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP446\A0027786.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP447\A0027797.EXE

Trojan.NewDotNet
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP446\A0027787.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028968.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032035.EXE
C:\WINDOWS\NDNUNINSTALL7_48.EXE

Dialer.Dial/Gen Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028819.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028942.EXE

Trojan.NewDotNet-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028830.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032034.DLL

Trojan.Rootkit-FullContext
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028837.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028838.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028946.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028947.SYS

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP449\A0028866.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0028970.EXE

Adware.RAC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP450\A0032097.EXE
C:\WINDOWS\$NTUNINSTALLKB867282$\RAPEKA.EXE

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP453\A0035163.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP453\A0035164.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP458\A0040551.EXE

Adware.Toolbar888
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP458\A0041561.DLL


Logfile of HijackThis v1.99.1
Scan saved at 16:50, on 06-12-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christine\Desktop\hijackthis\doggy.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - (no file)
O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] c:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149566395765
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

I also had a question, I have been thinking about whether I should purchase Norton, McAfee or Trend Micro anti-virus/firewall software or not ... are they any better than free scans/firewalls? Are they worth investing in or should I just stick with AVG and ad-aware? It seems like these two have been ineffective in getting rid of my spyware problem so thats what I was thinking of purchasing or getting a copy of norton from a friend or something ... ??

Edited by aerlyn02, 28 December 2006 - 04:53 PM.


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:57 PM

Posted 28 December 2006 - 05:06 PM

Hello,

Waterfalls asked me to take over this thread since she won't be able to reply for the moment.

You had some very nasty infections present there :thumbsup:
I cannot promise you that we may be able to fix all the damage it already caused though

Anyway, let's fix the clock first (military time)
For that, Go to your control panel and choose Date,Time, language & region Options > Regional and Language options (this in normal XP view)
When in classic view, select Regional and Language options.
Under the tab Regional options > standards and formats, from the dropdown list, choose your region > click apply and ok.

Also do next:

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file, select it and click ok:

C:\PROGRAM Files\COMMON Files\fluxDVD\DOWNLOAD..\XEBDLH~1.DLL

Then click the Send File button below.

Please perform next steps in the right order without missing any step!

Then, I see you have Windows Defender running.
The real-time protection may interfere with the fixes, that's why I want you to turn it off.

To turn real-time protection off
Open Windows Defender. (Click Start, click Programs, and then click Windows Defender.)
Click Tools, and then click General Settings.
Under Real-time protection options, Uncheck the Turn on real-time protection (recommended) check box.
Then click Save.

When your hijackthislog is clean again, please turn on the realtime protection again.

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\dsvawvhd.exe
C:\WINDOWS\system32\khfdaay.dll
C:\WINDOWS\system32\fccdbyw.dll
C:\WINDOWS\system32\hgghhef.dll
C:\WINDOWS\system32\fccawxw.dll
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\tccpip.exe
C:\WINDOWS\system32\byxfhicmet.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\fkgaa.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - (no file)
O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next folders:

C:\Program Files\VSAdd-in
C:\Program Files\BHO Plugin
C:\VundoFix Backups

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ywltp.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\byxfhicmet]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddklk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdate]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpgrade]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply together with a NEW combofix log and a new Hijackthislog.

As a sidenote - to fix your issue with the Windows firewall, we have to make sure there are also no policies set, because I am pretty sure that the malware you are/were dealing with may be responsible for adding related policies as well. So do next:

Open notepad and copy and paste next bold from the quotebox in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-


Save this as fixfirewall.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then,

1. go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.
If this doesn't work, go to step 2.

2. Go to start > run and copy and paste next command in the field:

services.msc

Search in the list for Windows Firewall/Internet Connection Sharing (ICS) <== if this isn't present, go to step 3.

Click "stop" there.
click OK and close the window.

Then go back to your Controlpanel and click: Windows Firewall
You should get an error then.. telling you that the service Windows Firewall/Internet Connection Sharing (ICS) is disabled/stopped and if you want to enable/start it.
Click Yes/ok
So the service should be started again and you will be able to change settings in it.

3. (Only perform this if previous steps failed)
Download this regfix:
http://windowsxp.mvps.org/reg/sharedaccess.reg
Place it on your desktop.
Now doubleclick sharedaccess.reg
Ckick yes/ok at the prompt.

Then REBOOT!! Important!

After reboot, go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.

Edited, because I see you already replied in a meanwhile.

Edited by miekiemoes, 28 December 2006 - 05:09 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users