Solved New problem - Browsers closing/redirects to spam

[Resolved] New problem - Browsers closing/redirects to spam

Hi, I've been watching this forum closely for a few days and following the help of moderators, so far to no avail.

I'm having similar problems to people who are being redirected to spam sites and have browsers closing randomly.

So far I have ran full scans with:

Super antispyware
Rogueremover
Malwarebytes
Avast
Norton
Spybot
Vundofix

They've all found different things which I've deleted/quarantined.

I've also ran:

CC Cleaner
ATF Cleaner
N Cleaner

They are picking up lots of MBs of usage within a short space of time.

My computer is also slowing down and something is using up my processor speed.

I've also removed Windows Messenger which I think brought the Malware originally.

Today I've tried running DDS - however it doesn't launch from my desktop. I've also tried Combofix - again it doesn't launch from my desktop. Both were downloaded OK. On some occasions when I tried to download them from mirrors my browser shut down - this has been happening a lot.

What I have been able to run is Hijack This and Rootrepeal (I followed somebody else's lead who posted on the forum but who also couldn't run DDS).

I've posted the results below, Hijack This is first. I hope somebody can help with this so I can get back to surfing normally again. Thank you. I'll be online all today and look forward to following any instructions

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:27, on 25/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\explorer.exe
C:\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Orange
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [PDService.exe] //~c:\program files\utimaco\safeguard privatedisk\pdservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] //~rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] //~c:\program files\lexmark 3300 series\lxccmon.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [uahavosq] C:\wswdfyox.bat
O4 - HKCU\..\Run: [MSMSGS] //~c:\program files\messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] //~c:\program files\tomtom home 2\homerunner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://myconnect.bbc.co.uk/InternalSite/WhlCompMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: msldr32 - msldr32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Addons\Packages\Mobile\Gateway" /DisplayName= "VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Rootrepeal:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/25 10:48
Program Version: Version 1.0.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF842B000 Size: 98304
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF8606000 Size: 57344
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xF897E000 Size: 19072
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8491000 Size: 187776
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF8A02000 Size: 11648
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xBAEFC000 Size: 15968
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF475D000 Size: 138496
Status: -

Name: Apfiltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Address: 0xF78DB000 Size: 91712
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF8736000 Size: 60800
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xF8996000 Size: 32768
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xBA90A000 Size: 87296
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xB9E02000 Size: 15136
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xF4527000 Size: 135168
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF86D6000 Size: 41664
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8CF1000 Size: 3072
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF89FE000 Size: 16384
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8B0A000 Size: 4224
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF89F6000 Size: 12288
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF8756000 Size: 63744
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF87E6000 Size: 62976
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF8656000 Size: 53248
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF8ABE000 Size: 13952
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF89FA000 Size: 10240
Status: -

Name: d347bus.sys
Image Path: d347bus.sys
Address: 0xF84BF000 Size: 155136
Status: -

Name: d347prt.sys
Image Path: d347prt.sys
Address: 0xF8AEC000 Size: 5248
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8646000 Size: 36352
Status: -

Name: DMICall.sys
Image Path: C:\WINDOWS\system32\DRIVERS\DMICall.sys
Address: 0xF8CA6000 Size: 3552
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF86A6000 Size: 61440
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF450F000 Size: 98304
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B1C000 Size: 8192
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF6E5A000 Size: 12288
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8CFF000 Size: 4096
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF78F2000 Size: 155648
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xF4548000 Size: 339968
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF8716000 Size: 44544
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF83F3000 Size: 129792
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8B08000 Size: 7936
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8443000 Size: 125056
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF8AC6000 Size: 9472
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF7C7B000 Size: 163840
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF4923000 Size: 716288
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xF49D2000 Size: 1034752
Status: -

Name: HSFHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xF4ACF000 Size: 178048
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9C2D000 Size: 264832
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF87C6000 Size: 52480
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF87D6000 Size: 42112
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8AEA000 Size: 5504
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF87B6000 Size: 36352
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF45C3000 Size: 152832
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF48C8000 Size: 75264
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF85E6000 Size: 37248
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF8906000 Size: 24576
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8AE6000 Size: 8192
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB8B61000 Size: 172416
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF78B8000 Size: 143360
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF83CA000 Size: 92288
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xBA6EA000 Size: 11840
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8B0C000 Size: 4224
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF892E000 Size: 30080
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF890E000 Size: 23040
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8616000 Size: 42368
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xBA4B8000 Size: 180608
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF4689000 Size: 455296
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8956000 Size: 19072
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF8836000 Size: 35072
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF8ADE000 Size: 15488
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF82F6000 Size: 105344
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF8310000 Size: 182656
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8ACE000 Size: 10112
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xBAEC0000 Size: 14592
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7859000 Size: 91520
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8696000 Size: 40576
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF86F6000 Size: 34688
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF477F000 Size: 162816
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF8686000 Size: 61824
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF895E000 Size: 30848
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF833D000 Size: 574976
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8C32000 Size: 2944
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 3887104
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF7CB7000 Size: 3192192
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF85F6000 Size: 61696
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF8BAF000 Size: 4096
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF886E000 Size: 19712
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8480000 Size: 68224
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8BAE000 Size: 3328
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF8866000 Size: 28672
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF8462000 Size: 120192
Status: -

Name: Pcouffin.sys
Image Path: C:\WINDOWS\System32\Drivers\Pcouffin.sys
Address: 0xF8846000 Size: 43840
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF4AFB000 Size: 147456
Status: -

Name: PrivateDiskM.sys
Image Path: C:\WINDOWS\System32\Drivers\PrivateDiskM.sys
Address: 0xF8706000 Size: 45568
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF7848000 Size: 69120
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF891E000 Size: 17792
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF8666000 Size: 35712
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7FDF000 Size: 8832
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8806000 Size: 51328
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8816000 Size: 41472
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8826000 Size: 48384
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF8926000 Size: 16512
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF46F9000 Size: 175744
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8B0E000 Size: 4224
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF87F6000 Size: 57600
Status: -

Name: RootRepeal.sys
Image Path: C:\WINDOWS\system32\drivers\RootRepeal.sys
Address: 0xB8BBC000 Size: 40960
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xF4B1F000 Size: 3289088
Status: -

Name: s24trans.sys
Image Path: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xBAEF0000 Size: 10432
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF8976000 Size: 24576
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xF88A6000 Size: 20480
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xF4724000 Size: 151552
Status: -

Name: SAVRTPEL.SYS
Image Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
Address: 0xF4749000 Size: 81920
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF8413000 Size: 98304
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xBA722000 Size: 40960
Status: -

Name: sgmabekr.sys
Image Path: sgmabekr.sys
Address: 0xF8626000 Size: 60416
Status: -

Name: SonyNC.sys
Image Path: C:\WINDOWS\System32\Drivers\SonyNC.sys
Address: 0xF88FE000 Size: 20512
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF83E1000 Size: 73472
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xBA376000 Size: 333952
Status: -

Name: StarOpen.SYS
Image Path: C:\WINDOWS\System32\Drivers\StarOpen.SYS
Address: 0xF896E000 Size: 24576
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8B02000 Size: 4352
Status: -

Name: SYMDNS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMDNS.SYS
Address: 0xF8B10000 Size: 5632
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xF4812000 Size: 118208
Status: -

Name: SYMFW.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMFW.SYS
Address: 0xF47E9000 Size: 166080
Status: -

Name: SYMIDS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMIDS.SYS
Address: 0xF8966000 Size: 31168
Status: -

Name: symidsco.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20090311.001\symidsco.sys
Address: 0xF47A7000 Size: 270336
Status: -

Name: SYMNDIS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
Address: 0xF86E6000 Size: 41344
Status: -

Name: SYMREDRV.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
Address: 0xF7FCF000 Size: 13056
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xF482F000 Size: 260704
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBA8B2000 Size: 60800
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF486F000 Size: 361600
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF8916000 Size: 20480
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8856000 Size: 40704
Status: -

Name: tifmsony.sys
Image Path: C:\WINDOWS\system32\drivers\tifmsony.sys
Address: 0xF7C3A000 Size: 118784
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6E6A000 Size: 384768
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8B06000 Size: 8192
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF88F6000 Size: 30208
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF86B6000 Size: 59520
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7C57000 Size: 147456
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF88EE000 Size: 20608
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF894E000 Size: 20992
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7CA3000 Size: 81920
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8636000 Size: 52352
Status: -

Name: w29n51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\w29n51.sys
Address: 0xF7918000 Size: 3281408
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF8726000 Size: 34560
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8986000 Size: 20480
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xBA6C5000 Size: 83072
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8AE8000 Size: 8192
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\software.LOG
Status: Size mismatch (API: 1024, Raw: 16384)

Path: C:\Documents and Settings\user user\Local Settings\Temp\etilqs_IaVH1fMxOgE165VssD0x
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\MCAE65RVACAU8GF93CA01AIIOCA5ZDOFNCA2SP0D4CAUA6Y0QCAK222NXCA911CY5CABDBQ0QCAQVSYRWCAZ1RA5JCA43GJEQCA18UOD4CA9GDI0ZCAB75JYJCARDZGWJCAUYV5I5CAIGIMBHCA4D8XH7CAQHQPC5CADLRMQE.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\MCAEOJPIMCAVBMMZ1CA062IOXCA9LSNNBCATGNX0RCAA5MVDNCAR6RVBBCAIZNSJGCA5PU0B2CAHP2Z3RCAEEXDJ7CAWLP2IFCATEQ4BDCAFTRGWNCA62IS2OCAFZ5CO1CALHCZP2CA2F41XYCAUKAOYRCABMDC5ZCA3B5FD3.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\MCAGYFP8QCAPZA1RVCA72S859CA3RN40ECACR26YHCALUN35KCAEQJEK2CALLLWNTCAHURONSCAWL6ZM3CA0RZINYCA2NXJ67CAAM54MOCAKDVIUUCAJZG79VCA4EMGFLCAZF6MZYCAN13YU1CABMW90MCA2JGY5FCA80HVRF.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\MCAPNG3ITCA14Y7HYCASOSYE4CANEMREWCA58XZMXCA1EOLHECAQG0SSWCA8JZKRHCAUWLAYVCA0FH80LCADG1W51CA42951ACAXD9P0ICA2I586MCA3D0R9XCAEZXXDECAV0F96SCAIE2BIICA9YAJ88CA1W8QVECAYZEH6X.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\MCAW6U7PSCA2W1CZZCAVN3VBRCA2YC1OLCAQDX4UTCARKYHAACATLTQUXCAHGFODUCAGJSEHMCAEJEHKQCAGBFX1RCAKLE382CAC302FUCAL09P2BCAQBB1DWCAVGFSURCAFM9Z3UCAHUKZ62CAEM22RKCAO034WMCAL9DS0V.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\ZCANVPN8GCAT8KBHTCAGB7QHVCA563U94CAX6KIA6CAVGBACLCA3IUZ21CAX6H6YBCAU2LP03CAU7ODECCAZPV5WYCAFCZCNBCA0VZ08OCABF0J0JCAY0QG25CAF2RAWLCAPQ9S4ACAY0R991CAYPD8NCCAZ3RL9YCA1GZZZC.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\ZCARS4O20CAOBO1UGCA4RR6PUCA1PC9D5CAZ6G15MCAK9T0NVCA99943VCAWMY3R2CAUJ0S31CAOIEP3BCAG5MK3RCA1UP9OGCA85A8MBCA6ZI361CA084WBDCADRGRG9CAFRR0IZCAUH4WI2CARUS10GCAYYS1N6CALWENAV.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\PCA5Y3Q3DCAJLOCZPCA1EPU5OCAZJOPR3CABQIN74CAN0PK9XCAEND9NTCAPBCDSCCA59YFT4CA22O2ODCAG0ZP36CANI0HWRCAS2IG5KCAFA0ZDBCAGWBQ18CAGDXE98CAJ3LLI5CASHZWGCCAHBSS6MCAO2XMATCACKY5WM.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\ZCA48KAUACA8X2RQNCA9C8GI5CAWAPQP1CAND0V2PCAHJTSZOCAKK8YFMCA7SD9E1CAOA93P9CAN503UYCAMBZG9SCA8FXQTJCAE8ETXXCA9HWWWKCAQMWS5ECAAS080KCAPPVJ6CCAYMUGFCCAAF082UCAGKRTEVCAVYTZZL.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\PCAUWF14UCAL4X3TJCA1GRX7PCAYCICECCAZHVDT8CAGY4QOVCAK39EZYCAOCT5CVCAZ0VN3ZCA2LSM0TCAZKRQMECAEIED9ZCADQU21YCANHFXFWCAK9ZCW5CAQ8U2ZVCASRK5R1CAVBZ3E5CACIH25ICAM5POCBCAAACEI0.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\0CA2JBQCPCAPBVGTFCA2R47WMCAVI0NFCCAE927LUCA31BVV9CA4X1A2WCAPA5PJNCAU3SQC6CA19QDI8CA1WF032CAUJZCUICAWIQ5PMCAC8636PCAPJBLKMCA7YCG2RCA2H6X85CAJ34PTYCA9HGOLWCA3W68QRCAAMGCIT.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\0CASL9LF3CAPBFU78CACBXQBKCAN3V1HFCAW4DVBZCA6PP25XCAW77121CACCNOOJCAOGLAMMCAHJ5GZKCA79RYZ6CA5TU733CAPXQLE3CA7HC4XHCAC1VBC8CAVN1YPPCAVY7DLDCA47RYRMCAA0FPIDCA6XZ247CAH2CY89.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\1CAU3ERFGCA22ZWVQCAB5F9AWCAYMID4VCAV6XGH0CAV3JMXLCAAQIAMKCAWCNOCTCAHQHJMNCAST6J6JCAW3RWMFCAG3AHGNCAM5XWW9CA52R4NYCAKUQTF4CAXMWPWCCA2ELQVWCA9FU61FCAETHJGJCAV4Y22JCA61RR5K.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\5CAU904BGCAMY35BGCAVYYQ06CASAWYWSCABIN1MMCAPCJ1DNCA0A31OICAT8AQMQCAA7SX40CAPB2CYVCAB8DKSHCAC6R4HGCA8RWRA7CAGAOZAJCAL3TP1SCARVJO4HCANZD26SCAM2Q9QOCAH3I7ZLCAHBEBN6CA5H2H1I.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\BCA52HUFUCACNB6UXCA746DH2CA2OEJBACAI5X2VUCAFTQ1PNCAO2QUY4CACYANFBCAHES5KPCA2B2H8WCARYU9ZJCABOJ45OCAJMWNM1CA2JE6CBCA2TK8R8CA9OO4V3CAHSM3YUCAC21PQ0CA3I5A4SCA5AEQ7LCA3C3N1V.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\BCA8FTUPVCAKV3B6PCA6V3Y3DCA3A7093CA3NZBWXCAXF1OU7CAI2VEN1CA6C4JSYCAN8QH2GCA83GR25CACVB5YXCARTTPSHCAPP0DYWCAN30BKWCAYUD8ZQCA7XDYR0CANAI9L4CAF1Z3LNCA1KI27FCA1W519FCAG2NSCN.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\TCAJFDST3CARG28EUCAPAU78QCAFHKSQ0CAQFSI18CAMYX1DXCA716AB0CAQRFKLTCAUHQRBHCAN3ESPKCA3E6WYHCAD5EDJPCA4B43B5CAI6G6MWCAR49IL7CA1ZM035CAA9D9G6CAU2IE6CCARU7P6WCAK9JGJ9CADITUFK.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\GCA10QNN7CARGIBB9CAFO7DRZCAAOSSZYCADLC6IECAWEGTFNCA6FIOKZCAY8GVZ4CADYMH8TCAZ1SEAXCAI7HVK6CA4VUX77CAH6ZP42CAHBR09WCARNME5UCAO2WDZCCA1N6ECRCAHLA4LMCAVI888HCA9YV00TCAMX7WM8.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\GCAY1IJU3CA7RZ4H6CA1SX2IGCABGWQA8CADLVXQVCA8611UFCAMSF730CAN53UXNCAM97UNVCA64A09GCA6UED6CCABGZ2C3CA8FPIAGCAY2T3UQCAW6EN2HCAZXP5SXCAVJTNDKCAD02HJZCAL5MRSJCARCE616CAKQNKLS.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\4CAD4W39NCALX1SRMCA9DKRUWCAPDAB89CAP1GG06CA192V4TCA9BTEX5CA2G1ZG4CARKR2QDCAT29I1BCAOQRO0WCA4MW2LQCA3Z8013CAJEV01HCA2MN8BACA6CX88BCA2IPD75CAARIWLKCAWMRQF9CABE5E0ECA5FPM50.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\4CASCY3GLCAKCY59OCAFUY4JACANQ5WK2CAKB385ICAYYUFUZCAQWVRHRCA379Q3WCAO61J4KCAWPSAHBCA0J3NWVCAPJMAECCA4LPMVHCAPAXLJ1CA3MJKUZCA5UYL9UCAN0XMS9CAMKUNKZCANPX95RCA3WE7KCCASUKY65.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\5CA92PMY6CAFAWVPLCAJAX7SPCA6D08TNCAL0KJ7XCA00TQKNCA0Y5FY0CAXUYMMACAZDZU4LCANLCK5TCADCZ0LRCARKB3ENCAUNKE59CAE0NV13CANG9KJPCA3HPE48CADLUW83CAJZ0N84CAVFEG2KCA49CVG2CA8KJKGH.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\5CAOCZYL5CAOKG73WCAA29KE5CAL89FJ0CA4NWGNPCAZZOIC1CA47XWZ4CAV6BRJ1CA2WD485CAIYGFL1CA34MW68CAV15ST0CA5FU276CAAO5FBHCA3O5BMFCAHTDT2LCA7HP295CAX6QHWOCAC41GQ5CA8CKYTICAN01DF3.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\DCA9ATVKCCAAIRBSUCA0KLHCCCAAYS5CICAN1KB14CALJG6TJCA3UVKXECA9YYRNSCA5LKU5VCAVJBFDICASMR2C3CA4FJ12CCA5MMJECCAG6C3YHCA4RDPAHCAZGXSY7CAHPRFNQCA6H6MQUCAY1HCTNCAPXIDM3CAXZQ77Y.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\DCATZ1XACCAIFSU3HCAA1SR2LCA147S86CAL4JWH9CARP0BSXCAYXFTVTCATFNMUYCA5XUQ45CAYAF92RCAFU8UENCASQSONACAGWSI0FCA3E55HKCA8ZZ8P7CAFMCQHECA0SOJP5CA29YMD6CAEONERNCADRXCBUCAU32SVI.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\9CABQZ1CVCAV6VP0SCAT04TFICAYIFIBZCAHS3WTPCAXU5JPWCA7J1QJ0CAB0QE50CA1AG432CAOQO5I1CAC81O8KCASC5355CA4HVOYECAF6LNAXCANOL3DYCAEZAV5DCAZ0PQ2ZCACFSM6CCA6TUV3YCA5VNCRICAD7SHWD.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\9CAIY5ILXCA7K1C9HCAQ9SMIJCALM1X15CAT7HUPUCAJORM2XCADUWN3TCAIOVOM1CAKQPG62CAO38WZ5CA2W8CM2CAH0WR24CAQ5S2G1CAVDX55FCA4Z7CIICACO1W0MCAE5G4U7CABP9JTTCARF7NZQCAY9LJVSCAH7ME1U.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\9CAXXA6DSCA57MN27CAUT1ZZDCAN5VAO9CANO2JHYCAXMKE8SCA3QD7KGCAR5R1C6CACAQLKUCAO52WGECAS7OQRUCA8WGQYOCABCTEXKCAIT70QRCAHFZNIGCA03R5O6CAITVON3CA9BLXTZCAQJ3RXZCAXWIZ24CA1O5QAB.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\OCA0QPAQUCAG1Q10YCACJ8KGTCADUYC8FCA9B4CO3CASV5K8OCAGYBS1RCAI1UFESCA5K9XLUCAJ6325MCA9QZ7ZOCACVKVSJCA84AZANCAEMRUI8CATI52OECAG9Z6NUCA5KNTC9CA2RS4B5CAGO5ZZOCAIQRH0OCAYGJ843.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\QCAGRNX83CAYI3AZJCAYJOUO7CAVI2QPGCAKWP5CBCA8CDQT1CAH93D7YCA86W37HCA1G5WT7CAC13UZOCAEOLM1RCAFTH53QCAJNJFRSCA37H3XFCAZ1957BCA0S5CACCAF7BMPYCA301D1BCA1KY0C4CA7R57YKCA5PO2V4.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\0CAJUQ0UECAY39PG6CA9EQML2CAZXK5BCCAGJGIIDCARMXJ6MCAUWHDNICA8C9GROCAEPNTG3CAS02Z6VCAWD7ANCCAJJTBTFCASOB0O7CACWXO01CA7924KUCAV6BPX9CA8Z60G8CAUWQSH6CA07NV0PCADRCLP7CAZXD3JX.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\0CALUD012CALJ2M6VCAXVQ54ICA76J871CAY9HTBHCAUM2N8KCA77IV0RCAHQYBYHCARUBA3VCA7NS4ZICAE29SPYCA99QG56CA060DVMCADCVPW2CA663DMBCAD1PKCSCAJBTV9JCA0HWHRPCA4O48NQCALP5T4TCAU2U75T.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\0CAMW8H0RCAHY19Y0CAJ4LNTQCA76JX9DCAMDH8R2CA1M69OVCAUZT19GCAKIYYILCAPJWJPOCA4QK5ODCALWR33SCAUNT8UGCAQWL4PKCA9RY3ZGCABZ8VPVCA0LBEAECATMP0LVCA1H465SCA78VCJ8CA3VPAKCCALQ5M2N.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\0CAP16MN1CAW71R43CA0UHZLNCAJ5IS58CAUNGZXTCAPBX3MFCA0XBGNRCAG2IR80CATC7X6QCAA6HG7YCA0VMONMCARMTGVPCAREJ9J1CA1AL00UCA1WV4MRCAH3SRJ0CAJJM9A7CAJBIZK2CASNXPHVCACI4WAACAQ6HLFD.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\ECAR6TE00CA3M9IHACALGRC2DCAE0X5J1CAEFDNYOCA2Y3MJ9CA7WF72QCAU2763FCA9FEUC7CAU5ARHNCA3EW91LCA507RX6CAE7GO5DCAIFAI1LCALFXYBZCABAT3CACAJNHD22CA2O2DOPCA00ACM0CATVK8JOCAJXTWC5.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\ECAY8ORHHCACBHXR8CAJER91VCAOEKQI7CAK1U77QCABYCIW5CAZB0A7NCAHEIWJVCACCBXEHCAIU6GHHCAL1JWOJCARED3OICAMYD131CA3ICZRHCABLF3GRCA4QY1R7CAT2M13ICAM0VQOLCANDWA2HCAT7H34RCATN343R.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\UCA33ZRC3CAPWFHHRCAQKWH7BCA81IU84CAR3MV77CAQLN7OQCAJLWDNOCASNH6UVCATWH38RCA18H1HECATE7FJ4CAQ0ZFUICAQ0VIXWCA0NL3H2CAU6KAJKCAG7O4E2CAQPAY9XCAXI9FKYCASQCNSXCAN4FN9ECA1LM7TK.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9\UCA8PVF8SCA0L8AYZCA449912CAJA4K6GCATDRTOYCA1JGXZMCAA55X6GCA65EVVHCAJC68W7CAS1GK31CAProcesses
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 180 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 216 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 316 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 444 Status: -

Path: C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PID: 464 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 672 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 700 Status: -

Path: C:\PROGRA~1\Sony\SONICS~1\SSAAD.exe
PID: 760 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 776 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 792 Status: Hidden from the Windows API!

Path: C:\Program Files\Avast4\aswUpdSv.exe
PID: 844 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 848 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 880 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 924 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 936 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1100 Status: -

Path: C:\iPod\bin\iPodService.exe
PID: 1156 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1176 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1228 Status: -

Path: C:\Program Files\Avast4\ashServ.exe
PID: 1288 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PID: 1316 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PID: 1388 Status: -

Path: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1440 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1460 Status: -

Path: C:\DOCUME~1\RABIND~1\LOCALS~1\Temp\Rar$EX01.469\RootRepeal.exe
PID: 1532 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1572 Status: -

Path: C:\Program Files\Messenger\msmsgs.exe
PID: 1644 Status: -

Path: C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
PID: 1792 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
PID: 1840 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
PID: 1864 Status: -

Path: C:\Program Files\Norton Internet Security\ISSVC.exe
PID: 1876 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PID: 1900 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
PID: 1920 Status: -

Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 2136 Status: -

Path: C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
PID: 2148 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PID: 2184 Status: -

Path: C:\PROGRA~1\Avast4\ashDisp.exe
PID: 2292 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 2356 Status: -

Path: C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PID: 2392 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
PID: 2436 Status: -

Path: C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
PID: 2484 Status: -

Path: C:\Program Files\Apoint\Apoint.exe
PID: 2492 Status: -

Path: C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
PID: 2616 Status: -

Path: C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
PID: 2692 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
PID: 2700 Status: -

Path: C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
PID: 2756 Status: -

Path: C:\Program Files\iTunes\iTunesHelper.exe
PID: 2888 Status: -

Path: C:\WINDOWS\system32\ico.exe
PID: 3276 Status: -

Path: C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PID: 3300 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 3308 Status: -

Path: C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PID: 3320 Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3336 Status: -

Path: C:\Program Files\Apoint\ApntEx.exe
PID: 3684 Status: -

Path: C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PID: 3912 Status: -

Path: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
PID: 3968 Status: -

 

Hi and welcome.


An issue we have to address first:
You have two Antivirus (Norton Internet Security and Avast4) on the machine and both are active.
We have to get this down to one antivirus only...You make a decision which to keep and which to uninstall.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

You may need several replies to post the requested logs, otherwise they might get cut off.



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.


O4 - HKLM\..\Run: [uahavosq] C:\wswdfyox.bat
O20 - Winlogon Notify: msldr32 - msldr32.dll (file missing)






Let's see if we can get this tool on the computer.

Please download OTMoveIt3 by OldTimer and save it to your desktop

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:Files
C:\wswdfyox.bat
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "uahavosq "=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msldr32]
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.




NEXT**
If ComboFix was downloaded to desktop <--Important follow this:
If you cannot do this in normal mode please boot into safe mode.

1. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK: (assuming ComboFix.exe is on the desktop as was
instructed)

"%userprofile%\desktop\combofix.exe "

Follow the prompts.

If run from the start menu has been disabled:
2. Open Task Manager by pressing the Ctrl Alt and Del keys, at the same time.

In the menu at the top of the dialog box, click File>New Task (Run...)

Copy/paste (or type) the following in the Run box and click OK: (assuming
ComboFix.exe is on the desktop as was instructed)

"%userprofile%\desktop\combofix.exe "
Follow the prompts.


In your next reply post:
OTMoveIt log
ComboFix.txt

 

Hi there, thanks for the help. The first half of this went ok, however the second part - Combofix - is problematic.

1/ Firstly, as requested, here is the data from OTMove - I rebooted when promopted:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\wswdfyox.bat moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uahavosq not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msldr32\\ not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETCDC.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03262009_204304

2/ Combofix.exe is on my desktop but doesn't want to run in either of the ways suggested.

It shows the green loading bar, appears on the taskbar, gets to the end of loading and closes each time.

Perhaps I should try to download again? If so, could you provide a link?

thanks for your help

 

Did you try to run it in safe mode as well?

Find the Combofix icon, should be on your desktop.
Right click and select delete.

Follow the outline I'm supplying below.
If you feel you would have more success running it in safe mode.....then do.




Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Hi Juliet, I tried to run Combofix in safe mode before, sorry for not being clearer.

My pc is having problems, worrying loading safe mode, it stalled and didn't even get to Windows when trying to boot the first time even though I gave it 15 minutes.

I re-booted the pc and attempted it again selecting Safe Mode - Networking which loaded Windows ok. I followed the steps to load Combofix but it didn't launch.

I've now deleted it off my desktop and downloaded it again as suggested - Mirror 1 shut down my browser, Mirror 2 didn't go to the download but Mirror 3 worked. I followed the steps, including renaming, and again tried to launch it via double click, run and ctrl+alt+del. The same thing happens, the loading bar gets to the end and the programme terminates.

Also, the link to bleepingcomputer shuts down my browser

 

Sounds like we're losing here.
Could you run MBAM after the file deletion and regfix through OTMoveIt?

Also, check your Private message box.

 

Pmd you Juliet.

MBAM I can run - just a quick scan? You lost me when you said regfix thorugh OTMoveit

 

I meant after I had you run OTMoveIt to check if you can now run MBAM

Quick scan will work, yes.

 

Please post your MBAM scan


Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419






Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



In your next reply post:
Malwarebytes' Anti-Malware log
Kaspersky log
New HJT log

 

Hi Juliet, I've run full scans with Widows Defender and RMvirut and they showed no problems.

My results for MBAM are below. I've used ATF Cleaner to clean everything out.

I will do the Kaspersky scan next and follow it up with a fresh HJT log - to be posted tomorrow morning (GMT)

thank you

MBAM:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

27/03/2009 01:27:07
mbam-log-2009-03-27 (01-27-07).txt

Scan type: Quick Scan
Objects scanned: 69660
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

I'm surprised MBAM didn't find anything.

Post the Kaspersky log when you can.



See if you can run this scan.

Please run a free online scan with the [color= "blue"]ESET Online Scanner[/color]
Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the ActiveX control to install
4. Click Start
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
6. Click Scan
   Wait for the scan to finish
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
8. Copy and paste that log as a reply to this topic

 

Hi Juliet, Kaspersky took around 4 hours to complete. I've posted the log below - it found nothing.

I've tried running Est in IE but I only get a message saying Windows has blocked it because it can't verify the supplier, there's no option to ignore.

Also posted latest HJT log below

Kaspersky

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 27, 2009 08:27:18
Records in database: 1975760
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 112041
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:51:54

No malware has been detected. The scan area is clean.

The selected area was scanned.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 15:12:05, on 27/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Orange
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [PDService.exe] //~c:\program files\utimaco\safeguard privatedisk\pdservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] //~rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] //~c:\program files\lexmark 3300 series\lxccmon.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] //~c:\program files\messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [TomTomHOME.exe] //~c:\program files\tomtom home 2\homerunner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://myconnect.bbc.co.uk/InternalSite/WhlCompMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Addons\Packages\Mobile\Gateway" /DisplayName= "VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

 

Thats usually from a security setting in IE or a Firewall block.


Let's see if we can run this scan in safe mode, should be less interference.

Print out these instructions or save to notepad/word while in safe mode.





Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
• http://www.pchell.com/support/safemode.shtml
•
Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now ", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.

* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis "

* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.

* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.

* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable ".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.

* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


In your next reply post:
DrWeb.cvs report
New HJT log


Also please give me an update on how the computer is now.

 

Hi Juliet, I did as instructed and have just completed the Dr Web scan in safe mode - it picked up some interesting things, including a Trojan. The full log is below along with a fresh HJT log. Thank you

Dr Web

Combo1.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\user user\Desktop\Combo1.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\user user\Desktop;Archive contains infected objects;;
Combo1.exe;C:\Documents and Settings\user user\Desktop;Container contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\user user\Desktop\Virus killers\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\user user\Desktop\Virus killers\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\user user\Desktop\Virus killers;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\user user\Desktop\Virus killers\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\user user\Desktop\Virus killers\SmitfraudFix;Tool.ShutDown.14;Moved.;
Process.exe;C:\MGtools;Tool.Prockill;Moved.;
OrangeFirefox.exe\data005;C:\Program Files\Orange\setup\OrangeFirefox.exe;Tool.Prockill;;
OrangeFirefox.exe;C:\Program Files\Orange\setup;Archive contains infected objects;Moved.;
A0039650.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039651.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039652.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.InstaFinder;Moved.;
A0039653.DLL;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.IESearch;Moved.;
A0039654.EXE;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.BetterInternet;Moved.;
A0039655.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039656.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039657.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039658.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Winad.144;Moved.;
A0039659.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039660.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039661.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039662.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039663.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039664.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039665.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039666.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039667.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039668.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039669.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039670.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039671.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039672.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Trojan.Isbar.387;Deleted.;
A0039673.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039674.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.nCase;Moved.;
A0039675.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039676.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039677.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039678.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Trojan.Isbar.386;Incurable.Moved.;
A0039679.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039680.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039681.dll;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.Altnet;Moved.;
A0039682.EXE;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP565;Adware.BetterInternet;Moved.;
A0040631.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP570\A0040631.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP570;Archive contains infected objects;;
A0040631.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP570;Container contains infected objects;Moved.;
A0041820.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572\A0041820.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572;Archive contains infected objects;;
A0041820.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572;Container contains infected objects;Moved.;
A0041821.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572\A0041821.exe;Tool.Prockill;;
A0041821.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572\A0041821.exe;Tool.ShutDown.14;;
A0041821.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572;Archive contains infected objects;Moved.;
A0041822.exe\data005;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572\A0041822.exe;Tool.Prockill;;
A0041822.exe;C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP572;Archive contains infected objects;Moved.;

HJT

Logfile of HijackThis v1.99.1
Scan saved at 23:42:21, on 27/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\iPod\bin\iPodService.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Orange
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [PDService.exe] //~c:\program files\utimaco\safeguard privatedisk\pdservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] //~rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] //~c:\program files\lexmark 3300 series\lxccmon.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] //~c:\program files\messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [TomTomHOME.exe] //~c:\program files\tomtom home 2\homerunner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://myconnect.bbc.co.uk/InternalSite/WhlCompMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Addons\Packages\Mobile\Gateway" /DisplayName= "VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

 

I should add that all the Dr Web files have been moved - I think you said that means they're quarantined.

The computer is still behaving as it was before - internet pages searched for in search engines are re-directing to spam sites and performance of the CPU is slow, so there seems to be no change, yet.

Thanks, I look forward to your reply

 

A couple of things I would like for you to try.

# Control Panel | Internet Options | General tab
# Click the "Delete Files" button

When prompted place a check in: "Delete all offline content ", click OK.
if you are using IE7 click Delete Browsing History




Please download OTMoveIt3 by OldTimer and save it to your desktop

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:Files
C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.




Next** go Start, Run and type cmd and hit OK
now type:
ipconfig /flushdns
(note that a space between ipconfig and / is needed)
then hit Enter, type exit and hit Enter again.





Please download [color= "#FF0000"] GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.



NEXT**
Download worksnow from HERE:

[color= "purple"]* IMPORTANT !!! Save worksnow to your Desktop[/color]

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note:
  If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on worksnow & follow the prompts.
  
  Note: worksnow will run without the Recovery Console installed.
  
• As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color= "blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.[color= "red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


In your next reply post:
OTMoveIt log
GooredLog.txt
C:\ComboFix.txt

 

Hi Juliet, I followed your but had a few problems:

1/ Deleted internet files Ok
2/ Ran OTMoveit Ok, a log is below.
3/ Ran CMD but it didn't do anythin except refresh the desktop so there was nowhere to type ipconfig /flushdns
4/ Ran Goredfix Ok - a log is below
5/ Woksnow - I disabled Norton and downloaded it from the mirror Ok. The first time I ran it a blue box appeared then another box askin for an update which I clicked Ok. It then said it would re-start when the update was downloaded. It failed to re-start. Now, like Combofix earlier it goes through the green loading bar and terminates.

OT Moveit log

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Documents and Settings\user user\Local Settings\Temp\Temporary Internet Files\Content.IE5\3U7AXTC9 not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETA246.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_164.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03292009_115644

Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\JETA246.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_164.dat not found!

Goored log

GooredFix v1.92 by jpshortstuff
Log created at 12:07 on 29/03/2009 running Option #1 (user user)
Firefox version 3.0.8 (en-GB)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

 

Welcome back


Download VArestorepolicies
Right-click and select: Extract all…
Open the VArestorepolicies folder, right-click the file VArestorepolicies, and select: Install

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**

1. Please download Dial-A-Fix from one of the following mirrors:
   • Primary Mirror
   • Secondary Mirror
2. Extract the zip file to your desktop.
3. Double click Dial-a-Fix.exe to start the program.
4. Press the green double checkmark box (Looks like this: )
5. UNcheck "Empty Temp Folders ", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
   
6. When the window looks like this, press the GO button in the bottom of the window.
   
7. Exit/Close Dial-A-Fix

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEXT**

http://www.funkytoad.com/index.php?option=...=13&Itemid=

* Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
* Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
* Click "Make Hosts Writable? " in the upper corner (If available).

* Next Click Restore Microsoft's Hosts files and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Tutorial, go here:
http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


NEXT** download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked.
  
  Uncheck the following ...
  • 
    
    [*]Sections
    [*]IAT/EAT
    [*]Drives/Partition other than Systemdrive (typically C:\)
    [*]Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries


Post:
ark.txt

 

Hi Juliet, sorry I don't follow your first step with VA.

I downloaded it to my desktop as a zip file. What do I need to extract and to where?

The ZIP seems to contain a single VArestorepolicies.inf, how do I install that?

thanks

 

If it's on desktop
Right click on the Zip file and then select .....Extract all (If it asks for a location to extract to select desktop also)
You should then see a folder VArestorepolicies
right-click the file VArestorepolicies.inf, now right click on that and select: Install



Did this work?

If not continue with the rest of the fix.