1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Help needed with HJT log

Discussion in 'Malware and Virus Removal Archive' started by BillB, 2006/06/13.

  1. 2006/06/13
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    I'm helping a friend with his son's laptop, trying to clean it up. I think I have most of the bad stuff off, at least I am getting clean runs of Spybot and Adaware now, and AVG scanned clean as well. However, AVG keeps popping up a message about a Trojan Downloader virus and points to 2 files; c:\windows\system32\system32ssec.exe and c:\windows\system32\ssec.exe. Whenever I look for these files they are not there, so I'm not sure why the pop up is occurring. Also, when the laptop starts up, windows explorer starts up pointing to the windows\system32 folder. I'm posting the HJT log in hopes someone can find something in that may be causing these problems, or any leftovers from the cleanup that's been done so far.
    Logfile of HijackThis v1.99.1
    Scan saved at 7:07:52 PM, on 6/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1148786350\ee\AOLSoftware.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\mptft.exe
    C:\WINDOWS\system32\tfthot.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\tmp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
    O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
    O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
    O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148786350\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
    O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\IntegratedServer\HTTP (file missing)
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Addons\Packages\Mobile\Gateway" /DisplayName= "VAIO Media Gateway Server (file missing)
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    O23 - Service: Microsoft Performance WMI Add-On (WMIPAdd-On) - Unknown owner - C:\WINDOWS\wmiapv.exe (file missing)
     
    BillB,
    #1
  2. 2006/06/13
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Hi BillB

    A few leftovers in the HJT log - we will endeavour to clean those up first .....

    Please download the trial version of Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ". Once installed please update it by clicking on the Update button. Do not run it yet.

    Download Killbox to your desktop - do not attempt to run it yet.

    Boot into Safe Mode and log onto your usual account.
    Run Ewido ....

    Click on Scanner and select a 'Complete System Scan'.
    If anything is found during scanning you will be prompted to clean the files.
    Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" and then click on OK

    Once the scan has completed save the report to a known location.

    Stay in Safe Mode and scan again with HJT. Place a checkmark against these entries if still present and click on Fix Selected....

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
    O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
    O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
    O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe "

    Stay in Safe Mode and run KillBox and select Delete on Reboot

    Copy this list of file locations to your clipboard ....

    C:\WINDOWS\system32\tfthot.exe
    C:\WINDOWS\system32\x3cqp0.dll
    C:\WINDOWS\cfg32r.dll
    C:\WINDOWS\system32\mptft.exe
    C:\WINDOWS\system32\ssn6tuu.exe

    Go to File > Paste from clipboard and Click All Files

    Press the button with a red circle with an X in it, then Yes when prompted to restart your computer.

    Scan again with HJT in normal mode and post the Ewido and final HJT logs here.

    IMO - a lot of the problems probably arose from here ....

    C:\Program Files\LimeWire\LimeWire.exe
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2006/06/13
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Pete,

    Thanks for the quick reply. I've printed your instructions and will follow the procedures tonight. I'll post back with the results when complete.

    I recommended uninstalling Limewire and was told to go ahead so I'll be doing that tonight also.
     
    BillB,
    #3
  5. 2006/06/13
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Pete,

    I followed your instructions, here's the new HJT log and the report from Ewido. I have also uninstalled Limewire. Things are already looking better, the AVG virus warnings are gone and the windows explorer pop up at startup is gone also.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:15:01 PM, on 6/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1148786350\ee\AOLSoftware.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\tmp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
    O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148786350\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "Applications\IntegratedServer\HTTP (file missing)
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot= "SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt= "\Addons\Packages\Mobile\Gateway" /DisplayName= "VAIO Media Gateway Server (file missing)
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    O23 - Service: Microsoft Performance WMI Add-On (WMIPAdd-On) - Unknown owner - C:\WINDOWS\wmiapv.exe (file missing)
     
    BillB,
    #4
  6. 2006/06/13
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Sorry Pete, the reply was too long to include both logs in one, here's the Ewido log;

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 5:51:41 PM, 6/13/2006
    + Report-Checksum: A448D83E

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA} -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-917211746-3861599203-1638188101-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA} -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA} -> Trojan.Small : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RAK3D56P\gkyukar[1].cab/ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RAK3D56P\gkyukar[1].cab/nr1rnqm8.exe -> Adware.Suggestor : Cleaned with backup
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RAK3D56P\gkyukar[1].cab/mptft.exe -> Adware.SearchAssistant : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\526_6200.exe -> Dropper.Mudrop.bq : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\526_620[10.exe -> Dropper.Mudrop.bq : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0000061.dll -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0000091.exe -> Downloader.Adload.bv : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0000146.exe -> Adware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0000147.exe -> Adware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0000151.exe -> Downloader.Adload.bv : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001144.com -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001145.exe -> Downloader.Adload.bv : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001161.exe -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001162.exe -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001163.exe -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001164.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001165.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001166.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001174.exe -> Adware.WebHancer : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001177.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001187.com -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001202.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001203.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001204.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001205.exe -> Downloader.Adload.bv : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001206.dll -> Adware.WebHancer : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001207.dll -> Adware.WebHancer : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001208.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001227.exe -> Adware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001228.exe -> Adware.BookedSpace : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001229.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001230.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001231.exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001233.exe -> Downloader.Adload.bx : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001235.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001236.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001237.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001238.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001239.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001311.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001321.exe -> Dropper.Mudrop.bq : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001324.exe -> Downloader.Small : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\A0001325.exe -> Downloader.Small : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\defender25[1].exe -> Downloader.Adload.bx : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\drsmartload45a[1].exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\drsmartload46a[1].exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\drsmartload849a[1].exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\drsmartload[1].exe -> Downloader.Adload.bv : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\icont.exe -> Adware.AdURL : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\open[1].exe -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\services.com -> Downloader.Adload.bo : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\ssn6tuu0.exe -> Adware.Suggestor : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\svchostsys.exe -> Downloader.Small : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\svchostupdate.exe -> Downloader.Small : Cleaned with backup
    C:\Documents and Settings\MIke Crosby\DoctorWeb\Quarantine\ZIGID003[1].exe -> Adware.ZenoSearch : Cleaned with backup
    C:\RECYCLER\S-1-5-21-917211746-3861599203-1638188101-500\Dc1.exe -> Adware.SearchAssistant : Cleaned with backup
    C:\RECYCLER\S-1-5-21-917211746-3861599203-1638188101-500\Dc5.exe -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\npxltiul.exe -> Adware.BookedSpace : Cleaned with backup
    C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld19D0.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld316F.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld6600.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld79B0.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld7C50.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld7DB7.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld7F6D.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld8059.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld8078.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld8088.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld80A7.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld80C6.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ldBE98.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ldBEE6.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ldBF05.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ldBF15.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ldBF44.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ldC3EF.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup
    C:\WINDOWS\system32\hp100.tmp -> Downloader.Zlob.re : Cleaned with backup
    C:\WINDOWS\system32\mptft.exe -> Adware.SearchAssistant : Cleaned with backup
    C:\WINDOWS\system32\nr1rnqm8.exe -> Adware.Suggestor : Cleaned with backup
    C:\WINDOWS\system32\ssec.exe -> Trojan.Runner.h : Cleaned with backup
    C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : Cleaned with backup
    C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup


    ::Report End
     
    BillB,
    #5
  7. 2006/06/14
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    PeteC,
    #6
  8. 2006/06/14
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Pete,

    It looks like the machine is running fine again. At least all the problems I saw are gone now.

    I put Spybot, Adaware, Spyware Blaster and AVG on the machine, he didn't have anything of the sort before that. Getting him to keep them updated and do scans is another matter. I am going to suggest ZoneAlarm also for further protection.

    Thanks for the help, I really appreciate it.
     
    BillB,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...