Hi everyone. I'm writing on behalf of my friend who is having trouble with her PC at the moment. She thinks she has a virus but is not sure. basically her PC is unstable and IE crashes without warning when online. This makes it difficult for her to post here and also updating her virus definitions has proved difficult.

Initially, she has sent me a log from dekards system scanner and would appreciate someone having a quick look at it.

Please note that personal identifiable info has been removed from the log with ??? signs:



Deckard's System Scanner v20071014.68
Run by ??? on 2008-01-21 18:47:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-21 18:47:40
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\sony\vaio media music server\SSSvr.exe
C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Apoint\apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ico.exe
C:\Program Files\sony\HotKey Utility\hkserv.exe
C:\Program Files\Common Files\Symantec Shared\ccapp.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\dragdrop.exe
C:\Program Files\sony\HotKey Utility\HKWnd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\powerpanel\Program\PcfMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Apoint\apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ico.exe
C:\Program Files\sony\HotKey Utility\hkserv.exe
C:\Program Files\Common Files\Symantec Shared\ccapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\dragdrop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\sony\HotKey Utility\HKWnd.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\powerpanel\Program\PcfMgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Messenger\msmsgs.exe
C:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\powerpanel\Program\PcfMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O15 - Trusted Zone: *.sony-europe.com (HKCU)
O15 - Trusted Zone: *.sonystyle-europe.com (HKCU)
O15 - Trusted Zone: *.vaio-link.com (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} () - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/b...bcontrol028.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{79D868E4-CBBD-43CE-83BC-24E446EF879E}: NameServer = 85.255.115.67,85.255.112.122
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{8EB2FCE1-C483-4A7B-AFE8-496EB77EDBC8}: NameServer = 85.255.115.67,85.255.112.122
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9251C282-3313-4ABB-9312-2AF09B83C1CE}: NameServer = 85.255.115.67,85.255.112.122
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.122
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.122
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.122
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe


--
End of file - 13448 bytes

-- Files created between 2007-12-21 and 2008-01-21 -----------------------------

2008-01-21 18:36:59 686630 --a------ C:\dss.exe
2008-01-21 18:36:33 0 d-------- C:\Documents and Settings\???\Application Data\Drag'n Drop CD+DVD
2008-01-21 18:34:59 0 dr-h----- C:\Documents and Settings\???\Recent
2008-01-21 18:34:45 0 d-------- C:\Documents and Settings\???\Application Data\Sony Corporation
2008-01-21 18:34:45 0 d-------- C:\Documents and Settings\???\Application Data\Real
2008-01-21 18:34:45 0 d---s---- C:\Documents and Settings\???\Application Data\Microsoft
2008-01-21 18:34:45 0 d-------- C:\Documents and Settings\???\Application Data\Identities
2008-01-21 18:34:45 0 d-------- C:\Documents and Settings\???\Application Data\Adobe
2008-01-21 18:34:44 0 d-------- C:\Documents and Settings\???\WINDOWS
2008-01-21 18:34:44 0 d--h----- C:\Documents and Settings\???\Templates
2008-01-21 18:34:44 0 dr------- C:\Documents and Settings\???\Start Menu
2008-01-21 18:34:44 0 dr-h----- C:\Documents and Settings\???\SendTo
2008-01-21 18:34:44 0 d--h----- C:\Documents and Settings\???\PrintHood
2008-01-21 18:34:44 1048576 --ah----- C:\Documents and Settings\???\NTUSER.DAT
2008-01-21 18:34:44 0 d--h----- C:\Documents and Settings\???\NetHood
2008-01-21 18:34:44 0 dr------- C:\Documents and Settings\???\My Documents
2008-01-21 18:34:44 0 d--h----- C:\Documents and Settings\???\Local Settings
2008-01-21 18:34:44 0 dr------- C:\Documents and Settings\???\Favorites
2008-01-21 18:34:44 0 d-------- C:\Documents and Settings\???\Desktop
2008-01-21 18:34:44 0 d---s---- C:\Documents and Settings\???\Cookies
2008-01-21 18:34:44 0 dr-h----- C:\Documents and Settings\???\Application Data
2008-01-21 18:34:44 0 d-------- C:\Documents and Settings\???\Application Data\Symantec
2008-01-21 18:34:44 0 d-------- C:\Documents and Settings\???\Application Data\Sun
2008-01-20 20:05:07 83456 --a------ C:\WINDOWS\System32\mscore25.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-01-16 20:11:55 16384 --a------ C:\WINDOWS\System32\suspend.exe
2008-01-16 20:11:52 80 --a------ C:\WINDOWS\System32\suspend.bin
2008-01-16 20:11:49 16384 --a------ C:\WINDOWS\System32\nod32se.exe
2008-01-13 17:10:47 16384 --a------ C:\WINDOWS\System32\users32.dat
2008-01-06 18:12:00 0 d-------- C:\Program Files\Google
2008-01-02 13:04:59 71825 --a------ C:\1.exe



EXTRA.txt log:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 509.48 MiB / 227.44 MiB
Pagefile Memory (total/avail): 1244.66 MiB / 980.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 27.95 GiB total, 19.07 GiB free.
D: is Fixed (NTFS) - 27.95 GiB total, 27.93 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 27.95 GiB - C:
\PARTITION1 - Installable File System - 27.95 GiB - D:

\\.\PHYSICALDRIVE1 - Sony MSC-U04 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\???\Application Data
CLASSPATH=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AYSEL
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\???
LOGONSERVER=\\AYSEL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NAYIMK~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\NAYIMK~1\LOCALS~1\Temp
USERDOMAIN=AYSEL
USERNAME=???
USERPROFILE=C:\Documents and Settings\???
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

???1 (admin)
???2 (admin)
???3 (new local, admin)
???4 (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type13949 / Error
Event Submitted/Written: 01/21/2008 06:38:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application UPnPFramework.exe, version 3.0.2.21110, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Event Record #/Type13948 / Error
Event Submitted/Written: 01/21/2008 06:38:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application UPnPFramework.exe, version 3.0.2.21110, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Event Record #/Type13947 / Error
Event Submitted/Written: 01/21/2008 06:37:41 PM
Event ID/Source: 100 / UPnPFramework
Event Description:
Error in UPnPFramework [ID=PhotoServer, Cause=Unable to start framework]

Event Record #/Type13946 / Error
Event Submitted/Written: 01/21/2008 06:37:41 PM
Event ID/Source: 100 / UPnPFramework
Event Description:
Error in UPnPFramework [ID=MusicServer, Cause=Unable to start framework]

Event Record #/Type13945 / Warning
Event Submitted/Written: 01/21/2008 06:36:32 PM
Event ID/Source: 4354 / EventSystem
Event Description:
The COM+ Event System failed to fire the ConnectionMadeNoQOCInfo method on subscription {74A66F7D-60D8-4377-A2D6-FF28394ADB86}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80010105.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27746 / Error
Event Submitted/Written: 01/21/2008 06:39:16 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The VAIO Media Photo Server service has reported an invalid current state 272.

Event Record #/Type27745 / Error
Event Submitted/Written: 01/21/2008 06:38:28 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The VAIO Media Music Server (UPnP) service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type27744 / Error
Event Submitted/Written: 01/21/2008 06:38:27 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The VAIO Media Photo Server (UPnP) service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type27717 / Error
Event Submitted/Written: 01/21/2008 06:30:43 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type27687 / Error
Event Submitted/Written: 01/20/2008 08:01:40 PM / 01/20/2008 08:01:41 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000044' while processing the file 'spybotsd_includes.exe' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.



-- End of Deckard's System Scanner: finished at 2008-01-21 18:39:41 ------------

Hi, Chrissy G

Welcome.

Please print these instructions for reference, as you will have to restart your computer during the fix.

Please download FixWareout from Here or Here.

1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
2. The fix will begin; follow the prompts.
3. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
4. Once the desktop loads a text file will open (report.txt).
   Please post the C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

Let me know if the Internet Connection is established.

OK will do, your help is appreciated

Please bear in mind that I'm helping my friend here as it is her machine that is affected. Consequently, I'll download the file and we'll run it during the day when we are both at work as she can't access the internet yet. Might take a while to get back to you each time with a response as I'm the "one in the middle" !

Thank you - CG

I now have the laptop at my house as it was a bit difficult doing everything from work during the day.

Downloaded FixWareOut as suggested to Desktop.

However when run it we got the error message "Not Admin. You need Administrative privleges to run this tool"

I've checked the user account of the user we are logged in with and it is a classed as a Computer Administrator account (in fact all the accounts are the same). Please advise, shall we run it in the Administrator account in Safe Mode?

Also, we have uninstalled Norton Antivirus because in was extremely out of date with old virus definitions (like 2003.... ). So that was pretty redundent really and not doing much. I'm thinking of installing AVG Free version just for now in order to do a quick scan?

Despite not being able to run FixWareOut I think we've got the internet connection running now. I've gone into the TCP/IP Properties for the connection and removed the IP and DNS server addresses that were in there. The've been changed to "Obtain an IP address automatically" and "Obtain DNS server address automatically" respectively. It now seems to work and it has stayed intact after rebooting.

Another thing, my friend says things look like they are slowly disappearing She should know as it's her laptop. Almost as if programs or files being deleted each time we log on. I know Norton has gone now but she says there were "other things" previously. I know that's not very helpful but can these viruses/trojans go on a "deleting spree" ?

Attempt to create another user profile with administrative rights in Safe Mode. Run Fixwareout, whether on this new account or as the Administrator.

Lets check if all services are running:

Download the enclosed folder.[attachment=18116:Test.zip]

Save and extract its contents to the desktop. It is a batch file. Once extracted, double click on the Test.bat file and post the report it will produce.

Ran FixWareOut in Administrator account in Safe Mode. Was not possible elsewhere even after creating another account with Administrative rights.

Also ran test.bat from desktop however the result was a completely empty log - nothing whatsoever in it.


FixWareOut log:

Username "Administrator" - 29/01/2008 22:05:09 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdrxe.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.67 85.255.112.122" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{79D868E4-CBBD-43CE-83BC-24E446EF879E}
"nameserver"="85.255.115.67,85.255.112.122" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9251C282-3313-4ABB-9312-2AF09B83C1CE}
"DhcpNameServer"="85.255.115.67,85.255.112.122" <Value cleared.

Hi, Chrissy G.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


This post has been edited by JSntgRvr: Jan 29 2008, 05:37 PM

Hi

Unfortunately I could not get Combi Fix to run. Always got the the same message:

"Windows cannot find kmd.exe'..

Tried files from each location and both were the same. Everything was disabled as requested and no browsers running. Also, tried installation it in Safe Mode with Administrator account but that did not work either

I checked your procedure and am sure that everything was done as requested

Hi, Chrissy G

There is a bug affecting Combofix, although some real protection security may affect its working. It is always suggested that all real protection security is disabled prior to run Combofix. But first, lets download the latest version of Combofix.

Please remove the version of Combofix present in your computer, then follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files.
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.
9. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Downloaded again and renamed file but still got same error message. It creates a folder full of files in the root of C:\ but goes no further than the error message.

I should point out that although the internet connection is working, Internet Explorer is erratic and unstable. It's not possible to download on this machine straight to the Desktop because IE crashes; put in a url like GeeksToGo.com and something else comes up.

We've been downloading any files on to another machine and transferring them via a memory stick as this is the only method we have currently.

Hi, Chrissy G

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

1. Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
   
   1. In the Processes group click Non Microsoft
   2. In the Win32 Services group click Non Microsoft
   3. In the Driver Services group click Non Microsoft
   4. In the Registry group click Non Microsoft
   5. In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
   6. In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
   7. In the File String Search group select Non Microsoft
   8. In the Additional scans sections please press select All and uncheck non-microsoft only
2. Now click the Run Scan button on the toolbar.
3. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
4. When the scan is complete Notepad will open with the report file loaded in it.
5. Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

Report attached as requested.

Many thanks

Hi, Chrissy G

That log is clear. How is the computer doing? Can you run the Test.bat file? Allow it to run for a while. It should produce a log.

Hi JSntgRvr

As before test.bat still produces a blank log.

It's not running very well. Internet Explorer is very erratic. For example, if I click on a link in Google it goes to a completely different random website. A different one each time. It's also not possible to enter a url directly into the Url Address field - it just won't work, nothing happens.

Other programs seem to randomly seize up as well with no warning.

We asked a "techy" at work today and he said it looked very much like a "rootkit" issue. However, as it is a personal laptop and not a work one he could not look at it for us

Sorry, also forgot to mention that my friend says she deleted a file called 1.exe which was in the root of C:\ This was before we came on here. Also, there is a file called nod32se.exe in the WinPFind3U log. We understand this is a antivirus program but she says she has never had this installed on her laptop