Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

HeIpMePlease

10 Posts

1014

January 2nd, 2006 22:00

Help please, HijackThis log included

My problem began with winfixer, and now it has grown to include the Morwill/Lycos/Incest redirections as well as constant pop-ups, such as PartyPoker (even when I'm not doing anything). The winfixer problem appears to have gone away, but it's probably still lurking somewhere on my computer. I tried running Spybot, Ad-Aware, etc., but either they didn't detect the problems or detected them but couldn't remove them. Here is my HijackThis log, and thank you very much for your help!
 
Logfile of HijackThis v1.99.1
Scan saved at 8:07:34 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pgws.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloaded stuff\hijackthis\HijackThis.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Julian\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2221e4b6-c2a5-4467-b6cf-ecb644183771} - C:\WINDOWS\system32\agcfrmlm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7b4569c0-73cd-4a5b-b135-cd6acf6400ca} - C:\WINDOWS\system32\agcfrmlm.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\iifef.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Bho - {D462B3D7-CDD5-4ab4-9F2C-29E59B447B70} - C:\WINDOWS\system32\hqfkdiqi.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\tuvsp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0oqw0ub0.dll] RUNDLL32.EXE 0oqw0ub0.dll,b 30808109
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132357154214
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A13F4036-187C-4803-A905-4ED38924BFAF}: NameServer = 24.25.5.150
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: iifef - C:\WINDOWS\system32\iifef.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tuvsp - C:\WINDOWS\SYSTEM32\tuvsp.dll

Message Edited by HeIpMePlease on 01-02-2006 07:09 PM

ky331

5 Journeyman

 • 

15.6K Posts

 • 

45K Points

January 3rd, 2006 11:00

be advised that the following is just a "start" ---- you still have more problems remaining:
 
first off, it appears you're running multiple copies of HiJackThis:
 
C:\downloaded stuff\hijackthis\HijackThis.exe
and
 
C:\Documents and Settings\Julian\Desktop\HijackThis.exe
 
We need to keep (and run) only one copy.    Either:
1)  keep the first one,  C:\downloaded stuff\hijackthis\HijackThis.exe     ;  or
2)  if you prefer the ease of Desktop access, you need to create an HJT folder on your Desktop, and move the HJT  program into this folder, so that it will then appear under running processes as
C:\Documents and Settings\Julian\Desktop\HJT\HijackThis.exe
 
======================================================================
 

close your internet browse

Run HJT. click on DO A SYSTEM SCAN ONLY

Place a check-mark in the box in front of the line:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {2221e4b6-c2a5-4467-b6cf-ecb644183771} - C:\WINDOWS\system32\agcfrmlm.dll


O2 - BHO: (no name) - {7b4569c0-73cd-4a5b-b135-cd6acf6400ca} - C:\WINDOWS\system32\agcfrmlm.dll

O2 - BHO: Bho - {D462B3D7-CDD5-4ab4-9F2C-29E59B447B70} - C:\WINDOWS\system32\hqfkdiqi.dll

 

Click on FIX CHECKED. Close HJT. Reboot.

======================================================================
 
 
You mentioned you had (past tense) a WinFixer problem, which you further assert has " gone away".   It's definitely still appearing in your HJT log.
 
download VirtumundoBeGone from:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

 just reboot if your system "jams"

*********************

It's now time to report back to us:

VirtumundoBeGone

generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/ paste the VirtumundoBeGone log back here, along with your latest HJT log.

please be sure to let me know what changes (if any) you've noticed, and what problems (if any) you still have.


HeIpMePlease

10 Posts

January 3rd, 2006 21:00

Thank you for your reply! Unfortunately, the Winfixer problem is still there and I'm still getting random popups. Thanks again for your time and help.
 
VBG log:
 
[01/03/2006, 18:36:29] -  Renaming C:\WINDOWS\system32\iifef.dll -> C:\WINDOWS\system32\iifef.dll.vir
[01/03/2006, 18:36:29] -  File successfully renamed!
[01/03/2006, 18:36:29] -   Removing HKLM\...\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 18:36:29] -   Removing HKCR\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 18:36:29] -   Adding Kill Bit for ActiveX for GUID: {827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 18:36:29] -   Deleting ATLEvents/MSEvents Registry entries
[01/03/2006, 18:36:29] -   Removing HKLM\...\Winlogon\Notify\iifef
[01/03/2006, 18:36:29] - Searching for Browser Helper Objects:
[01/03/2006, 18:36:29] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 18:36:29] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 18:36:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:29] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 18:36:29] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 18:36:29] -  BHO 3: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 18:36:29] -  BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 18:36:29] -  BHO 5: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[01/03/2006, 18:36:30] - ALERT: Found MSEvents Object!
[01/03/2006, 18:36:30] - Finished Searching Browser Helper Objects
[01/03/2006, 18:36:30] - *** Detected MSEvents Object
[01/03/2006, 18:36:30] - Trying to remove MSEvents Object...
[01/03/2006, 18:36:31] -    Terminating Process: IEXPLORE.EXE
[01/03/2006, 18:36:31] -    Terminating Process: RUNDLL32.EXE
[01/03/2006, 18:36:31] -    Disabling Automatic Shell Restart
[01/03/2006, 18:36:31] -    Terminating Process: EXPLORER.EXE
[01/03/2006, 18:36:31] -    Suspending the NT Session Manager System Service
[01/03/2006, 18:36:31] -    Terminating Windows NT Logon/Logoff Manager
[01/03/2006, 18:36:31] -    Re-enabling Automatic Shell Restart
[01/03/2006, 18:36:31] -   File to disable: C:\WINDOWS\system32\tuvsp.dll
[01/03/2006, 18:36:31] -  Renaming C:\WINDOWS\system32\tuvsp.dll -> C:\WINDOWS\system32\tuvsp.dll.vir
[01/03/2006, 18:36:31] -  File successfully renamed!
[01/03/2006, 18:36:31] -   Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/03/2006, 18:36:31] -   Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/03/2006, 18:36:31] -   Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/03/2006, 18:36:31] -   Deleting ATLEvents/MSEvents Registry entries
[01/03/2006, 18:36:31] -   Removing HKLM\...\Winlogon\Notify\tuvsp
[01/03/2006, 18:36:31] - Searching for Browser Helper Objects:
[01/03/2006, 18:36:31] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 18:36:31] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 18:36:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:32] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 18:36:32] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 18:36:32] -  BHO 3: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 18:36:32] -  BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 18:36:32] - Finished Searching Browser Helper Objects
[01/03/2006, 18:36:32] - Finishing up...
[01/03/2006, 18:36:32] - A restart is needed.
[01/03/2006, 18:36:38] - Attempting to Restart via STOP error (Blue Screen!)
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 6:41:02 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\pgws.exe
C:\windows\adtech2006a.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julian\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0oqw0ub0.dll] RUNDLL32.EXE 0oqw0ub0.dll,b 30808109
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132357154214
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A13F4036-187C-4803-A905-4ED38924BFAF}: NameServer = 24.25.5.150
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
 

Message Edited by HeIpMePlease on 01-03-2006 05:47 PM

HeIpMePlease

10 Posts

January 3rd, 2006 22:00

Logfile of HijackThis v1.99.1
Scan saved at 7:40:46 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\pgws.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\windows\adtech2006a.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julian\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0oqw0ub0.dll] RUNDLL32.EXE 0oqw0ub0.dll,b 30808109
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132357154214
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A13F4036-187C-4803-A905-4ED38924BFAF}: NameServer = 24.25.5.150
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
 

HeIpMePlease

10 Posts

January 3rd, 2006 22:00

I don't mind taking many steps, I'm just glad I'm finally getting rid of this problem. Your help has been awesome so far, and I greatly appreciate it. I'm going to have to make 2 posts since putting both logs in 1 post will exceed 20000 characters.

[01/03/2006, 18:36:12] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Julian\Desktop\VirtumundoBeGone.exe" )
[01/03/2006, 18:36:24] - Detected System Information:
[01/03/2006, 18:36:24] -  Windows Version: 5.1.2600, Service Pack 2
[01/03/2006, 18:36:24] -  Current Username: Julian (Admin)
[01/03/2006, 18:36:24] -  Windows is in NORMAL mode.
[01/03/2006, 18:36:24] - Searching for Browser Helper Objects:
[01/03/2006, 18:36:24] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 18:36:24] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 18:36:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:24] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 18:36:24] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 18:36:24] -  BHO 3: {827DC836-DD9F-4A68-A602-5812EB50A834} (MSEvents Object)
[01/03/2006, 18:36:24] - ALERT: Found MSEvents Object!
[01/03/2006, 18:36:24] -  BHO 4: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 18:36:25] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 18:36:25] -  BHO 6: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[01/03/2006, 18:36:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:25] -  Checking for HKLM\...\Winlogon\Notify\tuvsp
[01/03/2006, 18:36:25] -  Found: HKLM\...\Winlogon\Notify\tuvsp - This is probably Virtumundo.
[01/03/2006, 18:36:25] -  Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[01/03/2006, 18:36:26] - BHO list has been changed! Starting over...
[01/03/2006, 18:36:26] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 18:36:26] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 18:36:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:26] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 18:36:26] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 18:36:26] -  BHO 3: {827DC836-DD9F-4A68-A602-5812EB50A834} (MSEvents Object)
[01/03/2006, 18:36:26] - ALERT: Found MSEvents Object!
[01/03/2006, 18:36:26] -  BHO 4: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 18:36:26] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 18:36:26] -  BHO 6: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[01/03/2006, 18:36:26] - ALERT: Found MSEvents Object!
[01/03/2006, 18:36:26] - Finished Searching Browser Helper Objects
[01/03/2006, 18:36:26] - *** Detected MSEvents Object
[01/03/2006, 18:36:26] - Trying to remove MSEvents Object...
[01/03/2006, 18:36:27] -    Terminating Process: IEXPLORE.EXE
[01/03/2006, 18:36:28] -    Terminating Process: RUNDLL32.EXE
[01/03/2006, 18:36:28] -    Disabling Automatic Shell Restart
[01/03/2006, 18:36:28] -    Terminating Process: EXPLORER.EXE
[01/03/2006, 18:36:29] -    Suspending the NT Session Manager System Service
[01/03/2006, 18:36:29] -    Terminating Windows NT Logon/Logoff Manager
[01/03/2006, 18:36:29] -    Re-enabling Automatic Shell Restart
[01/03/2006, 18:36:29] -   File to disable: C:\WINDOWS\system32\iifef.dll
[01/03/2006, 18:36:29] -  Renaming C:\WINDOWS\system32\iifef.dll -> C:\WINDOWS\system32\iifef.dll.vir
[01/03/2006, 18:36:29] -  File successfully renamed!
[01/03/2006, 18:36:29] -   Removing HKLM\...\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 18:36:29] -   Removing HKCR\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 18:36:29] -   Adding Kill Bit for ActiveX for GUID: {827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 18:36:29] -   Deleting ATLEvents/MSEvents Registry entries
[01/03/2006, 18:36:29] -   Removing HKLM\...\Winlogon\Notify\iifef
[01/03/2006, 18:36:29] - Searching for Browser Helper Objects:
[01/03/2006, 18:36:29] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 18:36:29] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 18:36:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:29] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 18:36:29] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 18:36:29] -  BHO 3: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 18:36:29] -  BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 18:36:29] -  BHO 5: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[01/03/2006, 18:36:30] - ALERT: Found MSEvents Object!
[01/03/2006, 18:36:30] - Finished Searching Browser Helper Objects
[01/03/2006, 18:36:30] - *** Detected MSEvents Object
[01/03/2006, 18:36:30] - Trying to remove MSEvents Object...
[01/03/2006, 18:36:31] -    Terminating Process: IEXPLORE.EXE
[01/03/2006, 18:36:31] -    Terminating Process: RUNDLL32.EXE
[01/03/2006, 18:36:31] -    Disabling Automatic Shell Restart
[01/03/2006, 18:36:31] -    Terminating Process: EXPLORER.EXE
[01/03/2006, 18:36:31] -    Suspending the NT Session Manager System Service
[01/03/2006, 18:36:31] -    Terminating Windows NT Logon/Logoff Manager
[01/03/2006, 18:36:31] -    Re-enabling Automatic Shell Restart
[01/03/2006, 18:36:31] -   File to disable: C:\WINDOWS\system32\tuvsp.dll
[01/03/2006, 18:36:31] -  Renaming C:\WINDOWS\system32\tuvsp.dll -> C:\WINDOWS\system32\tuvsp.dll.vir
[01/03/2006, 18:36:31] -  File successfully renamed!
[01/03/2006, 18:36:31] -   Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/03/2006, 18:36:31] -   Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/03/2006, 18:36:31] -   Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[01/03/2006, 18:36:31] -   Deleting ATLEvents/MSEvents Registry entries
[01/03/2006, 18:36:31] -   Removing HKLM\...\Winlogon\Notify\tuvsp
[01/03/2006, 18:36:31] - Searching for Browser Helper Objects:
[01/03/2006, 18:36:31] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 18:36:31] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 18:36:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 18:36:32] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 18:36:32] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 18:36:32] -  BHO 3: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 18:36:32] -  BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 18:36:32] - Finished Searching Browser Helper Objects
[01/03/2006, 18:36:32] - Finishing up...
[01/03/2006, 18:36:32] - A restart is needed.
[01/03/2006, 18:36:38] - Attempting to Restart via STOP error (Blue Screen!)
[01/03/2006, 19:32:15] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Julian\Desktop\VirtumundoBeGone.exe" )
[01/03/2006, 19:32:16] - Detected System Information:
[01/03/2006, 19:32:16] -  Windows Version: 5.1.2600, Service Pack 2
[01/03/2006, 19:32:16] -  Current Username: Julian (Admin)
[01/03/2006, 19:32:16] -  Windows is in NORMAL mode.
[01/03/2006, 19:32:16] - Searching for Browser Helper Objects:
[01/03/2006, 19:32:16] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 19:32:16] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 19:32:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 19:32:16] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 19:32:16] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 19:32:16] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/03/2006, 19:32:16] -  BHO 4: {827DC836-DD9F-4A68-A602-5812EB50A834} (MSEvents Object)
[01/03/2006, 19:32:16] - ALERT: Found MSEvents Object!
[01/03/2006, 19:32:16] -  BHO 5: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 19:32:16] -  BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 19:32:16] - Finished Searching Browser Helper Objects
[01/03/2006, 19:32:16] - *** Detected MSEvents Object
[01/03/2006, 19:32:16] - Trying to remove MSEvents Object...
[01/03/2006, 19:32:17] -    Terminating Process: IEXPLORE.EXE
[01/03/2006, 19:32:18] -    Terminating Process: RUNDLL32.EXE
[01/03/2006, 19:32:18] -    Disabling Automatic Shell Restart
[01/03/2006, 19:32:18] -    Terminating Process: EXPLORER.EXE
[01/03/2006, 19:32:18] -    Suspending the NT Session Manager System Service
[01/03/2006, 19:32:18] -    Terminating Windows NT Logon/Logoff Manager
[01/03/2006, 19:32:18] -    Re-enabling Automatic Shell Restart
[01/03/2006, 19:32:18] -   File to disable: C:\WINDOWS\system32\vtstt.dll
[01/03/2006, 19:32:18] -  Renaming C:\WINDOWS\system32\vtstt.dll -> C:\WINDOWS\system32\vtstt.dll.vir
[01/03/2006, 19:32:19] -  File successfully renamed!
[01/03/2006, 19:32:19] -   Removing HKLM\...\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 19:32:19] -   Removing HKCR\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 19:32:19] -   Adding Kill Bit for ActiveX for GUID: {827DC836-DD9F-4A68-A602-5812EB50A834}
[01/03/2006, 19:32:19] -   Deleting ATLEvents/MSEvents Registry entries
[01/03/2006, 19:32:19] -   Removing HKLM\...\Winlogon\Notify\vtstt
[01/03/2006, 19:32:19] - Searching for Browser Helper Objects:
[01/03/2006, 19:32:19] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 19:32:19] -  BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/03/2006, 19:32:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 19:32:19] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/03/2006, 19:32:19] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/03/2006, 19:32:19] -  BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/03/2006, 19:32:19] -  BHO 4: {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} (LinkTracker Class)
[01/03/2006, 19:32:19] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 19:32:19] - Finished Searching Browser Helper Objects
[01/03/2006, 19:32:19] - Finishing up...
[01/03/2006, 19:32:19] - A restart is needed.
[01/03/2006, 19:32:22] - Attempting to Restart via STOP error (Blue Screen!)

ky331

5 Journeyman

 • 

15.6K Posts

 • 

45K Points

January 3rd, 2006 22:00

your original log showed TWO (2) vundo/virtumundo trojans [   iifef.dll  &   tuvsp.dll  ]  , causing your WinFixer popups... VBG successsfully deactived both.
 
however, you latest logs now shows another/different infected file  vtstt.dll
 
please run VirtumundoBeGone again, and let's see how things look this time.
 
****************************************
 
it appears you're running Sun Java j2re1.4.2_05 .   there is much speculation that a "hole" in a closely-related  version,   j2re1.4.2_0 3   ,  is being exploited by WinFixer.   so we should upgrade to the latest version, 1.5.0_06 from http://www.java.com/en/download/manual.jsp
my personal preference is to download the MANUAL (OFFline) installation version (16 MB).  but if you prefer the online installation, that choice is yours.
 
AFTER you successfully install the new java, go to your control panel, ADD/REMOVE programs, and UNinstalll all older versions of Java (if any) that still show up there.... especially the 1.4.2_03.
 
when you're done, REPLY here, and post an updated/revised HJT log, as well as another VBG log.
 
 
 
I want to stress again, you still have more problems, but i'm trying to take this one step at a time, if at all possible.   let me know how things seem to you there.
 

HeIpMePlease

10 Posts

January 3rd, 2006 23:00

Ok, here's the latest HJT log. Winfixer and Morwill seem to have gone.
 
Logfile of HijackThis v1.99.1
Scan saved at 8:22:54 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\pgws.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Julian\Desktop\HJT\HijackThis.exe
C:\Documents and Settings\Julian\Desktop\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0oqw0ub0.dll] RUNDLL32.EXE 0oqw0ub0.dll,b 30808109
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132357154214
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A13F4036-187C-4803-A905-4ED38924BFAF}: NameServer = 24.25.5.150
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
 

Message Edited by HeIpMePlease on 01-03-2006 07:26 PM

ky331

5 Journeyman

 • 

15.6K Posts

 • 

45K Points

January 3rd, 2006 23:00

as best as i can tell, you should now be clear of both winfixer, and morWilSeach... please confirm...
 
good work also on the java update.
 
normally at this point, I try to call-in someone else for the remainder of the fix... but i'd like to take one more "stab" first, to remove some items that were introduced into your second log, that weren't present in your first.  
 
in so doing, i'm assuming that  " FindTheWebSiteYouNeed"   is something that installed itself on its own... if for some reason, you knowingly/intentionally arranged this, then I guess it's okay for you to keep it.   but if you have no knowledge of it, then try to remove it:
 

Run HJT. click on DO A SYSTEM SCAN ONLY

Place a check-mark in the box in front of each of  the lines:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe

 

Click on FIX CHECKED. Close HJT. Reboot. And see if adTech2006 comes back or not.

[If AdTech2006 is still there... i.e., if this highlighted O4-line still appears in your log after rebooting... then you should reboot your system into SAFE MODE (by tapping the F8-key during the boot-up process, and selecting SAFE MODE), and try this FIX again while running HJT in SAFE MODE; and then, reboot into NORMAL mode.]

When you're done, generate and post your latest HJT log, replying to this thread.   at that point, it's time for the next helper.

RKinner

2 Intern

 • 

5.9K Posts

January 4th, 2006 18:00

This is Ron.  Now that KY331 has cleared up your winfixer problem and that homepage hijacker I'll try to finish the cleanup. 
The winsync one is probably qoologic so I think we had better get ewido.
 
Please download ewido security suite:
 
it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
Don't run it yet.

 
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
Run HijackThis and just do a Scan only. Check  then Fix Checked the following:
 
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0oqw0ub0.dll] RUNDLL32.EXE 0oqw0ub0.dll,b 30808109
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
 
Close HijackThis.
 
 Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.  Run a new Hijackthis log and post it as a reply.
 
Ron
 
 

HeIpMePlease

10 Posts

January 4th, 2006 23:00

Thanks for the reply. I have a question/problem - when I ran Ewido, I saw that it was identifying all these zip files with porn titles as infected files. These files were in some sort of hidden folder, "complete" (C:\Documents and Settings\Julian\Complete). I leave Ewido running, but when I return over an hour later, Ewido was still running, with over 15,000 infected files, and it was obviously no where near done (it was still going through files in that folder, and was on files that began with the letter 'G'). The completion bar was stuck at 39.2% done. Since I had to use the computer, I decided to stop the scan and let it run overnight. I cancel the scan, but then a separate message pops up asking me to confirm the cleanup for each infected file! There were already over 15,000 infected files! Actually, the message said something about how cleaning the file will stop other files from working, but I still had to click the OK button once for every file.

Gah! What do I do?

And also, with HJT, I was able to find and fix every one of the problems you listed except for O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe. It did not appear in the list when I did a scan only. Is this ok?

RKinner

2 Intern

 • 

5.9K Posts

January 5th, 2006 01:00

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.

When the tool is finished, please reboot back into normal mode then run your ewido scan.  There should be an option to set it so you don't have to authorize each removal but you have to set it before the scan starts.
 
Ron

HeIpMePlease

10 Posts

January 5th, 2006 21:00

In Ewido, I get this message for every infected file, after I stop the scan:
 
Warning:
The file "C:\Documents and Settings\Julian\Complete\***.exe" cannot be removed because it is embedded in the archive "C:\Documents and Settings\Julian\***.zip." Dou you want to remove the whole archive?
 
*** is some random porn title. There are over 15,000 (I'm guessing over 40,000 total since I stopped the scan at the letter "G") of these files, all in that same folder. I looked under the setting in Ewido, but there doesn't appear to be any option that lets me not have to click OK each time.
 
Also, I have noticed that I cannot press ctrl+alt+del to bring up the task manager. Is this an expected effect of my malwares?
Log of AproposFix v1
 
************
 
Running from directory: 
C:\Documents and Settings\Julian\Desktop\aproposfix
 
************
 
Registry entries found:
 
 
************
 
No service found!
 
Removing hidden folder:
No folder found!
 
Deleting files:
 
 
Backing up files:
Done!
 
Removing registry entries:
 
REGEDIT4
 
 
Done!
 
Finished!

Message Edited by HeIpMePlease on 01-05-2006 05:32 PM

EDIT: I ran a scan for a few minutes and got 156 infected files, then stopped it, pressed OK 156 times for each file, and saved the log. Ok, I just realized I can't copy/paste and post the log because there are numerous prohibited words, so here is just 1 of the entries.

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:   6:38:06 PM, 1/5/2006
 + Report-Checksum:  A1BAA69A

 + Scan result:


 C:\Documents and Settings\Julian\Complete\04mpgasian.zip/Video.exe -> Dropper.WinAD.h : Cleaned with backup


::Report End

Message Edited by HeIpMePlease on 01-05-2006 05:40 PM

Message Edited by HeIpMePlease on 01-05-2006 05:42 PM

RKinner

2 Intern

 • 

5.9K Posts

January 5th, 2006 22:00

What it is trying to tell you is that the bad file is hidden inside a compressed file (along with a bunch of other garbage), namely:

C:\Documents and Settings\Julian\Complete\04mpgasian.zip

You should let it delete the whole archive or you can save yourself some trouble and delete it yourself.

Right click on Start and select Explore.  Then in the new window find the Views icon (bottom right of the two toolbars at the top.  Looks like a little window with a down arrow.  Press it and select Details.  Then select Tools, Folder Options, check Use Windows Classic Folders, Apply then View, check Show Hidden Files and Folders, and uncheck the two that start with Hide. (ignore the warning) then say Apply.  Then press Like Current Folder.  OK.

Now locate the Documents and Settings folder (My Computer=>  Local Disk C: => Documents and Settings.  Under it find Julian and under it find Complete and click once on it.  In the right pane will be an alphabetical list of folders and files.  Click on the word MODIFIED at the top of the column.  This sorts them by date modified.  Scroll down in the right pane until you find  04mpgasian.zip and note the date and time.  Delete it and all files in the folder that have the same date and time +/- 5 minutes.

If you can't find it in Explorer then reboot into Safe Mode (F8) and select Command Prompt from the menu.  Login and when you get to the black screen type:

 

cd "\Documents and Settings\Julian\Complete"

dir /ogd

(you should see a list of files.  Delete the 04mpgasian.zip file with)

del /f 04mpgasian.zip

(If you decide that all files in the folder are bad (have the same date and time +/- 5 minutes) then get rid of them all with)

del /f *.*

Ron


 

 

HeIpMePlease

10 Posts

January 6th, 2006 00:00

Thanks for the tip. There were over 45,000 files in that folder, taking up over 22 gigs :smileysurprised: I'm not sure where they came from, but I suspect a p2p file sharing program.
 
I finished running Ewido. What's the next step?
 
Logfile of HijackThis v1.99.1
Scan saved at 9:10:49 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\windows\banmanpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\Documents and Settings\Julian\Desktop\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132357154214
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A13F4036-187C-4803-A905-4ED38924BFAF}: NameServer = 24.25.5.150
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
 

RKinner

2 Intern

 • 

5.9K Posts

January 6th, 2006 01:00

I was hoping ewido would take care of the qoologic but it didn't.  At least you got 22 gig back from the porn folks.

We have three new entries plus the qoologic entry.  See if you can check/Fix Checked them using HijackThis in Safe Mode (unless of course you know what they are and why they are suddenly there)

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waaqpq.exe reg_run <==Qoologic

I first thought the wmplayer.exe was the real thing but when I look at my PC I find that the folder should be Windows Media Player and not wmplayer.  If in doubt you can look at it with Explorer and right click on it and look at the properties.  It should tell you if it is really from MicroSoft and it should have a version number.  Also there is no reason for it to run at start so I'm pretty sure we have a ringer here.

The last one is the qoologic entry.  I am assuming that it will not meekly go away when you use hijackthis.

I'm trying to avoid the terribly involved procedure here that was used to get rid of qoologic:

http://help.lockergnome.com/index.php?showtopic=41087

but let's at least verify that we are on the right track:

 

Download FindQoologic.zip save it to your Desktop.
http://downloads.subratam.org/Find-Qoologic.zip

Extract (unzip) the files inside into their own folder called FindQoologic (put the folder on your desktop to make life easier.)
Open the FindQoologic folder. Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text file opens.  Then post the text as a reply.

 

Ron

HeIpMePlease

10 Posts

January 6th, 2006 02:00

Find Qoologic last edited 11/28/2005
Running from
C:\Documents and Settings\Julian\Desktop\Find-Qoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
C:\WINDOWS\SYSTEM32\WAAQPQ.EXE
C:\WINDOWS\SYSTEM32\FMMQK.DLL
C:\WINDOWS\SYSTEM32\EPPSISP.DLL
C:\WINDOWS\SYSTEM32\FVVVJVV.EXE
C:\WINDOWS\VCCENE.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\XZZW.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyysmsym]
@="{631879a2-dae0-4553-90e8-11210d6f0aeb}"
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

Was this post helpful?

View All

No Events found!

Top