MSN Virus again!
Started by
merchantz
, Dec 11 2006 02:43 PM
#16
Posted 14 December 2006 - 05:27 PM
#17
Posted 15 December 2006 - 04:23 AM
Right.....
I followed yr instructions as much as possible.
I was able to remove all the trojans manually except 'C:\WINDOWS\hide_evr2.sys' which was not there.
I then rebooted but the same blue screen came up! So i rebooted in safe mode and ran a hijack this scan. I need now to get it from my computer onto another computer to post up here! Is it safe to transfer on a USB stick or portable HD? Or is it possible to connect to the interent in safe mode? Or increase the resolution of the screen which defaults to a small setting?
I have a friend who works for a university computer service so im going to get them to have a free look at it...Will let you know the outcome.
Maybe i should just re-install windows? It probably needs it anyway....and i could save all essential documents in dafe mode...would that guarantee getting all the viruses?
Thanks for all the advice.
I followed yr instructions as much as possible.
I was able to remove all the trojans manually except 'C:\WINDOWS\hide_evr2.sys' which was not there.
I then rebooted but the same blue screen came up! So i rebooted in safe mode and ran a hijack this scan. I need now to get it from my computer onto another computer to post up here! Is it safe to transfer on a USB stick or portable HD? Or is it possible to connect to the interent in safe mode? Or increase the resolution of the screen which defaults to a small setting?
I have a friend who works for a university computer service so im going to get them to have a free look at it...Will let you know the outcome.
Maybe i should just re-install windows? It probably needs it anyway....and i could save all essential documents in dafe mode...would that guarantee getting all the viruses?
Thanks for all the advice.
#18
Posted 15 December 2006 - 07:10 AM
Hi, merchantz
In Safe Mode, go to Start->right click on My Computer and select Properties. Select the Advaced Tab. Under Startup and Recovery, click on Settings . Remove the check mark from "Automatically Restart" under System Failure. Restart the computer. That should give you time to read the error message durng the Blue Screen. Post the error as it appears on screen.
You may be able to boot in Safe Mode with Networking and reach the internet.
Set Explorer to view Hidden Files and Folders:
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:
C:\WINDOWS
And select the file
hide_evr2.sys
Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.
Set Explorer to Defaults:
Let me know the outcome.
In Safe Mode, go to Start->right click on My Computer and select Properties. Select the Advaced Tab. Under Startup and Recovery, click on Settings . Remove the check mark from "Automatically Restart" under System Failure. Restart the computer. That should give you time to read the error message durng the Blue Screen. Post the error as it appears on screen.
You may be able to boot in Safe Mode with Networking and reach the internet.
I was able to remove all the trojans manually except 'C:\WINDOWS\hide_evr2.sys' which was not there.
Set Explorer to view Hidden Files and Folders:
- Right-click your Start button and go to "Explore".
- Select Tools from the menu
- Select Folder Options
- Select the View tab
- Click on Show all Files and Folders
- Remove the checkmarks from:
- Hide Extension from known files
- Hide protected operating sytem files
- Select Apply to All Folders | Yes | Apply | OK.
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:
C:\WINDOWS
And select the file
hide_evr2.sys
Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.
Set Explorer to Defaults:
- Right-click your Start button and go to "Explore".
- Select Tools from the menu
- Select Folder Options
- Select the View tab
- Click on Restore Defaults
- Select Apply to All Folders | Yes | Apply | OK.
Let me know the outcome.
#19
Posted 15 December 2006 - 07:31 AM
ok mate, will do tonite when i get back home.
Cheers
Cheers
#20
Posted 15 December 2006 - 10:49 AM
it says this again!
'STOP: c000031a {Fatal System Error} THe windows logon process system process terminated unexpectedly with a status of 0x00000142 (0x00000000 0x 000000000). THe system has been shut down
I did the thing with hijack this but the file is not there to delete! i searched my whole system and couldnt find it!
'STOP: c000031a {Fatal System Error} THe windows logon process system process terminated unexpectedly with a status of 0x00000142 (0x00000000 0x 000000000). THe system has been shut down
I did the thing with hijack this but the file is not there to delete! i searched my whole system and couldnt find it!
Edited by merchantz, 15 December 2006 - 11:03 AM.
#21
Posted 15 December 2006 - 11:10 AM
Hi, merchantz
Download the enclosed file: [attachment=12189:attachment]
and extract its contents to the desktop. Once extracted double click on the file and post the contents of the log it produces.
Download the enclosed file: [attachment=12189:attachment]
and extract its contents to the desktop. Once extracted double click on the file and post the contents of the log it produces.
#22
Posted 15 December 2006 - 11:15 AM
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ OLLILAPTOP
DefaultUserName REG_SZ Oliver Standing
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ Oliver Standing
AltDefaultDomainName REG_SZ OLLILAPTOP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME> REG_SZ Microsoft Disk Quota
NoMachinePolicy REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
RequiresSuccessfulRegistry REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x0
DllName REG_EXPAND_SZ dskquota.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<NO NAME> REG_SZ Internet Explorer Zonemapping
DllName REG_EXPAND_SZ iedkcs32.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicyForZoneMap
NoGPOListChanges REG_DWORD 0x1
RequiresSucessfulRegistry REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessSecurityPolicyGPO
GenerateGroupPolicy REG_SZ SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel REG_DWORD 0x1
ProcessGroupPolicyEx REG_SZ SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel REG_DWORD 0x1
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ Security
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x1
MaxNoGPOListChangesInterval REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_EXPAND_SZ iedkcs32.dll
<NO NAME> REG_SZ Internet Explorer Branding
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x1
NoMachinePolicy REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessEFSRecoveryGPO
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ EFS recovery
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
RequiresSuccessfulRegistry REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}
<NO NAME> REG_SZ Microsoft Offline Files
DllName REG_EXPAND_SZ %SystemRoot%\System32\cscui.dll
EnableAsynchronousProcessing REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x0
NoMachinePolicy REG_DWORD 0x0
NoSlowLink REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
RequiresSuccessfulRegistry REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME> REG_SZ Software Installation
DllName REG_EXPAND_SZ appmgmts.dll
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyObjectsEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
NoBackgroundPolicy REG_DWORD 0x0
RequiresSucessfulRegistry REG_DWORD 0x0
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
EventSources REG_MULTI_SZ (Application Management,Application)\0(MsiInstaller,Application)\0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
DllName REG_SZ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Logon REG_SZ SABWINLOLogon
Logoff REG_SZ SABWINLOLogoff
Startup REG_SZ SABWINLOStartup
Shutdown REG_SZ SABWINLOShutdown
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxsrvc.dll
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Unlock REG_SZ WinlogonUnlockEvent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x0
Dllname REG_SZ C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
Logon REG_SZ IntelUserLogon
Logoff REG_SZ IntelUserLogoff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VESWinlogon
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x0
Startup REG_SZ EventStartup
DllName REG_EXPAND_SZ VESWinlogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
Logon REG_SZ WLEventLogon
Logoff REG_SZ WLEventLogoff
Startup REG_SZ WLEventStartup
Shutdown REG_SZ WLEventShutdown
StartScreenSaver REG_SZ WLEventStartScreenSaver
StopScreenSaver REG_SZ WLEventStopScreenSaver
Lock REG_SZ WLEventLock
Unlock REG_SZ WLEventUnlock
StartShell REG_SZ WLEventStartShell
PostShell REG_SZ WLEventPostShell
Disconnect REG_SZ WLEventDisconnect
Reconnect REG_SZ WLEventReconnect
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x0
SafeMode REG_DWORD 0x1
MaxWait REG_DWORD 0xffffffff
DllName REG_EXPAND_SZ WgaLogon.dll
Event REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
Data REG_BINARY 01000000D08C9DDF0115D1118C7A00C04FC297EB010000005F04023829F27542BB7A277863D6AE9104000000040000005300000003660000A800000010000000F29D6B8153C45944E2F6859B1228686A0000000004800000A000000010000000FA3B3956F054A18F683DA5E5FC997A2D080600000B6A20EE85E95F3AB1AD7633CD1F04A021077D9D89D0152CDDE1BD7AFCDFC7B0EC6E6C27859515E77EAB39637C27F12A2CBF2D1D197F088216B3443BD0B83ED9523844FA8077B1E66182AA4372C6E1502DC8B00E4669EAA0A019037302F36873339EF8BEC19820C3F802348FF3981513F6185B08828EAD4726CD21442A5328F15F9B6DE1DFED0710E26673982C224BA871E1B9D554D564795704878F4EE54EEDE951185EB7ACA85C9474ABA7A6C4FF8B9F00EE2B79EEE098DF4204D38029486B063C8B0915383E5CF8DD06F8799FD44A32A7EF15C27B921C4E3002CC52452A9C4FEA9DC7611C8B4A6FF5094CC3381BC3347BD8B108603F55C4F118E7176012FF0B2383B59E513EFABB1729956749CD302783F5686B9451C803219CBF99369204A8900C0C8780D2566D75D5FAF7EE0508DABF48F5736B960B1E3E30AE4804DDCEDF3B796AD60811A2D3EC53ACA5486B753A34E74A4FCCD96A45D2DCE1C503A73237A973D1729255502B3D765D9626C1C53561042EDC88544BDA16BE8E27C63F94F6EB10475683D8357FA017CA3B21BAE949D7E6FB94408DCBB76BCD1B583522434E4F85836518E54BAF1E945EFD8E9C9EC7E8FACFD3DF9639E347E2E491C74AAE132710FC83D4AD2920577F12DE2E14EE748E07D4E135776531AC5AC17571C6E7BE47048EEAFF224D3BD8F1A89F54B93F139C4D3FB3688C2A6A10B7180C7B53F40E3049FCCE208BCAFCD827164631E32E9E23F6ABDA325C2F7317A7BFB8A8BABAA27DA68262C2B3279ADBE9EDFAA52399015A54B8D5002C31A3060E20BFFE27873E74A5708D648CA1CA75289D8E1A2905C07929E14B3DF751A1B539C76C3ED7AB8C81C1F2C1F5A2E7550C37FAFBEA842B947634BBDC661EFD86D4C199A19467EA77B2338D5DCAB05DAF6DCCA327A77C4EE8691266DC7C0EA33AEACA0C4F5E2E132C00E13DA9E553FFB9F3BE1612513EBC172EDBA73687AF87EFD42864C1E08257462252643E646A3D6D9A815825F27D2FF94D20D1428DEBC63E6E425AC55F4A09A736043AEDB9DB6E244E18B7C1FAFF9E91D7F720123EBB6D032B9F05FC7977FDAF860904955B21D3A9CD9259A5FAE94F96E9A6DB7DAF2C26079FEA3BEB5D69EFFBCE2B0536203DFA7DB60E761FAB65A26E400E7EEE6E31FDEB4BFAA7582FF787880C218C04D94718C88A01E40DFF24AF195111C477D7F44CCA0E39E5D86FEF30A11E1570529F0982B81C5884A2BCD6C0D6B06E0931F6BAC34E04C876B135E5A127C409D81BD38B7145D7217CE326E683ADF5DF20A3CDC18289DE1D25031E60C6927FB73AC4FAC58BB81C16F61C5D8E4DC79B3F1D1FB232FBCC62285AE6D41ADD3C4759E9FF7BF960C28DFD1C61AE9365671295E7563DDC256BB6B6821DDE34E43B0088A4CC8A66FD6DD25147A1C93C51EEE309BD45DF6F62E94EE4F301C7215ADB5C5668D597C2DB73673ADA0E7B1E662E95ED81B89EFDDE04B2ACE07802747BCAB232C51A8B7BC697F23DC607DAB6D528CFAB47D5A7861EF677E6C87378009FB67D26DFC4BEF18D2BDE59952EFA48ACA9D4EC9F2905668002267E37AFBC6A1FEC9F63BA559D5721FF98BD71D57F2AA0C30831EF43FF37617A897572FA0F0057C266219EE655E0FE54279EE4FA80595841110DBAA0C77F4813668489ECDFEDC1E2048AA9E4D5AE21ACA5B2A9CAD3D3477C4A44B95E68BC61CE03AFB1E861337F629FD8AC988DDDDD36B70FB08FA93ECA2D1BEAF4F874B94B27C50D8F63D664AB879034A280E96C24212CE99EAB24A01E5A94860EA7D79D3B167DD0929B8AF8D89A4BD7F35DA2E85841F5B7CD476A2DC3255450C05585AA1387CE1A45BD472EF45F45B0C658A531AC18A76499B747368061B4B5A8022F2D36DDAACCBA9DC8B771D4D5D142B34D273BF0BD32DC47D58C39013D532EFB69B9A298CF66BD8DE3B8108115B39DB29009B70B6D605FD28B9CF703A77586D9D2EA51C80562C63CA29DD1D0A262D6AD2E1E66EA2257C2529F0E9FD9634B4534088316309FA35A79E6B02069175717247EEA74B0472B26AB659082F48DBB322E96513CAB7DDCF25359E9D0681B4D83269E4B6557D46098FC2E2BE420730997EF92F61CBC50DC45DAB22509E6BE2764857AFA3796406299C076742E4CF460EEF6E3F6BBF7563D0AC94F765CF824560A6B66BAED1400000007910839C61C883456D6EAFED06359EC05E6525A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant REG_DWORD 0x0
TsInternetUser REG_DWORD 0x0
SQLAgentCmdExec REG_DWORD 0x0
NetShowServices REG_DWORD 0x0
IWAM_ REG_DWORD 0x10000
IUSR_ REG_DWORD 0x10000
VUSR_ REG_DWORD 0x10000
ASPNET REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ OLLILAPTOP
DefaultUserName REG_SZ Oliver Standing
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ Oliver Standing
AltDefaultDomainName REG_SZ OLLILAPTOP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME> REG_SZ Microsoft Disk Quota
NoMachinePolicy REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
RequiresSuccessfulRegistry REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x0
DllName REG_EXPAND_SZ dskquota.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<NO NAME> REG_SZ Internet Explorer Zonemapping
DllName REG_EXPAND_SZ iedkcs32.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicyForZoneMap
NoGPOListChanges REG_DWORD 0x1
RequiresSucessfulRegistry REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessSecurityPolicyGPO
GenerateGroupPolicy REG_SZ SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel REG_DWORD 0x1
ProcessGroupPolicyEx REG_SZ SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel REG_DWORD 0x1
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ Security
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x1
MaxNoGPOListChangesInterval REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_EXPAND_SZ iedkcs32.dll
<NO NAME> REG_SZ Internet Explorer Branding
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x1
NoMachinePolicy REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessEFSRecoveryGPO
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ EFS recovery
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
RequiresSuccessfulRegistry REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}
<NO NAME> REG_SZ Microsoft Offline Files
DllName REG_EXPAND_SZ %SystemRoot%\System32\cscui.dll
EnableAsynchronousProcessing REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x0
NoMachinePolicy REG_DWORD 0x0
NoSlowLink REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
RequiresSuccessfulRegistry REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME> REG_SZ Software Installation
DllName REG_EXPAND_SZ appmgmts.dll
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyObjectsEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
NoBackgroundPolicy REG_DWORD 0x0
RequiresSucessfulRegistry REG_DWORD 0x0
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
EventSources REG_MULTI_SZ (Application Management,Application)\0(MsiInstaller,Application)\0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
DllName REG_SZ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Logon REG_SZ SABWINLOLogon
Logoff REG_SZ SABWINLOLogoff
Startup REG_SZ SABWINLOStartup
Shutdown REG_SZ SABWINLOShutdown
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxsrvc.dll
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Unlock REG_SZ WinlogonUnlockEvent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x0
Dllname REG_SZ C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
Logon REG_SZ IntelUserLogon
Logoff REG_SZ IntelUserLogoff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VESWinlogon
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x0
Startup REG_SZ EventStartup
DllName REG_EXPAND_SZ VESWinlogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
Logon REG_SZ WLEventLogon
Logoff REG_SZ WLEventLogoff
Startup REG_SZ WLEventStartup
Shutdown REG_SZ WLEventShutdown
StartScreenSaver REG_SZ WLEventStartScreenSaver
StopScreenSaver REG_SZ WLEventStopScreenSaver
Lock REG_SZ WLEventLock
Unlock REG_SZ WLEventUnlock
StartShell REG_SZ WLEventStartShell
PostShell REG_SZ WLEventPostShell
Disconnect REG_SZ WLEventDisconnect
Reconnect REG_SZ WLEventReconnect
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x0
SafeMode REG_DWORD 0x1
MaxWait REG_DWORD 0xffffffff
DllName REG_EXPAND_SZ WgaLogon.dll
Event REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
Data REG_BINARY 01000000D08C9DDF0115D1118C7A00C04FC297EB010000005F04023829F27542BB7A277863D6AE9104000000040000005300000003660000A800000010000000F29D6B8153C45944E2F6859B1228686A0000000004800000A000000010000000FA3B3956F054A18F683DA5E5FC997A2D080600000B6A20EE85E95F3AB1AD7633CD1F04A021077D9D89D0152CDDE1BD7AFCDFC7B0EC6E6C27859515E77EAB39637C27F12A2CBF2D1D197F088216B3443BD0B83ED9523844FA8077B1E66182AA4372C6E1502DC8B00E4669EAA0A019037302F36873339EF8BEC19820C3F802348FF3981513F6185B08828EAD4726CD21442A5328F15F9B6DE1DFED0710E26673982C224BA871E1B9D554D564795704878F4EE54EEDE951185EB7ACA85C9474ABA7A6C4FF8B9F00EE2B79EEE098DF4204D38029486B063C8B0915383E5CF8DD06F8799FD44A32A7EF15C27B921C4E3002CC52452A9C4FEA9DC7611C8B4A6FF5094CC3381BC3347BD8B108603F55C4F118E7176012FF0B2383B59E513EFABB1729956749CD302783F5686B9451C803219CBF99369204A8900C0C8780D2566D75D5FAF7EE0508DABF48F5736B960B1E3E30AE4804DDCEDF3B796AD60811A2D3EC53ACA5486B753A34E74A4FCCD96A45D2DCE1C503A73237A973D1729255502B3D765D9626C1C53561042EDC88544BDA16BE8E27C63F94F6EB10475683D8357FA017CA3B21BAE949D7E6FB94408DCBB76BCD1B583522434E4F85836518E54BAF1E945EFD8E9C9EC7E8FACFD3DF9639E347E2E491C74AAE132710FC83D4AD2920577F12DE2E14EE748E07D4E135776531AC5AC17571C6E7BE47048EEAFF224D3BD8F1A89F54B93F139C4D3FB3688C2A6A10B7180C7B53F40E3049FCCE208BCAFCD827164631E32E9E23F6ABDA325C2F7317A7BFB8A8BABAA27DA68262C2B3279ADBE9EDFAA52399015A54B8D5002C31A3060E20BFFE27873E74A5708D648CA1CA75289D8E1A2905C07929E14B3DF751A1B539C76C3ED7AB8C81C1F2C1F5A2E7550C37FAFBEA842B947634BBDC661EFD86D4C199A19467EA77B2338D5DCAB05DAF6DCCA327A77C4EE8691266DC7C0EA33AEACA0C4F5E2E132C00E13DA9E553FFB9F3BE1612513EBC172EDBA73687AF87EFD42864C1E08257462252643E646A3D6D9A815825F27D2FF94D20D1428DEBC63E6E425AC55F4A09A736043AEDB9DB6E244E18B7C1FAFF9E91D7F720123EBB6D032B9F05FC7977FDAF860904955B21D3A9CD9259A5FAE94F96E9A6DB7DAF2C26079FEA3BEB5D69EFFBCE2B0536203DFA7DB60E761FAB65A26E400E7EEE6E31FDEB4BFAA7582FF787880C218C04D94718C88A01E40DFF24AF195111C477D7F44CCA0E39E5D86FEF30A11E1570529F0982B81C5884A2BCD6C0D6B06E0931F6BAC34E04C876B135E5A127C409D81BD38B7145D7217CE326E683ADF5DF20A3CDC18289DE1D25031E60C6927FB73AC4FAC58BB81C16F61C5D8E4DC79B3F1D1FB232FBCC62285AE6D41ADD3C4759E9FF7BF960C28DFD1C61AE9365671295E7563DDC256BB6B6821DDE34E43B0088A4CC8A66FD6DD25147A1C93C51EEE309BD45DF6F62E94EE4F301C7215ADB5C5668D597C2DB73673ADA0E7B1E662E95ED81B89EFDDE04B2ACE07802747BCAB232C51A8B7BC697F23DC607DAB6D528CFAB47D5A7861EF677E6C87378009FB67D26DFC4BEF18D2BDE59952EFA48ACA9D4EC9F2905668002267E37AFBC6A1FEC9F63BA559D5721FF98BD71D57F2AA0C30831EF43FF37617A897572FA0F0057C266219EE655E0FE54279EE4FA80595841110DBAA0C77F4813668489ECDFEDC1E2048AA9E4D5AE21ACA5B2A9CAD3D3477C4A44B95E68BC61CE03AFB1E861337F629FD8AC988DDDDD36B70FB08FA93ECA2D1BEAF4F874B94B27C50D8F63D664AB879034A280E96C24212CE99EAB24A01E5A94860EA7D79D3B167DD0929B8AF8D89A4BD7F35DA2E85841F5B7CD476A2DC3255450C05585AA1387CE1A45BD472EF45F45B0C658A531AC18A76499B747368061B4B5A8022F2D36DDAACCBA9DC8B771D4D5D142B34D273BF0BD32DC47D58C39013D532EFB69B9A298CF66BD8DE3B8108115B39DB29009B70B6D605FD28B9CF703A77586D9D2EA51C80562C63CA29DD1D0A262D6AD2E1E66EA2257C2529F0E9FD9634B4534088316309FA35A79E6B02069175717247EEA74B0472B26AB659082F48DBB322E96513CAB7DDCF25359E9D0681B4D83269E4B6557D46098FC2E2BE420730997EF92F61CBC50DC45DAB22509E6BE2764857AFA3796406299C076742E4CF460EEF6E3F6BBF7563D0AC94F765CF824560A6B66BAED1400000007910839C61C883456D6EAFED06359EC05E6525A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant REG_DWORD 0x0
TsInternetUser REG_DWORD 0x0
SQLAgentCmdExec REG_DWORD 0x0
NetShowServices REG_DWORD 0x0
IWAM_ REG_DWORD 0x10000
IUSR_ REG_DWORD 0x10000
VUSR_ REG_DWORD 0x10000
ASPNET REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials
#23
Posted 15 December 2006 - 11:33 AM
Hi, merchantz
Nothing wrong there.
Run Combofix and post the log along a Hijackthis log (even if it is in Safe Mode)
Nothing wrong there.
Run Combofix and post the log along a Hijackthis log (even if it is in Safe Mode)
#24
Posted 15 December 2006 - 03:08 PM
my computer now will not start at all. i am very worried for it. i am going to drop it off with some people tomorow.
thanks for all the help.
thanks for all the help.
#25
Posted 15 December 2006 - 05:15 PM
Hi, merchantz
I hate to lose one but, I understand.
Keep me posted on the issue.
I hate to lose one but, I understand.
Keep me posted on the issue.
#26
Posted 18 December 2006 - 02:46 AM
I discovered why the computer was not turning on....
...I had accidently unplugged it! Schoolboy error.
My friend is looking at it but i'll let you know how it turns out.
Cheers
...I had accidently unplugged it! Schoolboy error.
My friend is looking at it but i'll let you know how it turns out.
Cheers
#27
Posted 20 December 2006 - 12:26 PM
Right, back again in Safe mode!!
Logfile of HijackThis v1.99.1
Scan saved at 18:24:33, on 20/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vcl.vaio.sony...eu/PforVAIO.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com/en/
O3 - Toolbar: DiskView - {6A882320-BDD0-4ff4-BE3A-D8BAF82668E9} - C:\Program Files\Vyooh\DiskView\VizBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - Startup: VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
Combofix
Logfile of HijackThis v1.99.1
Scan saved at 18:24:33, on 20/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vcl.vaio.sony...eu/PforVAIO.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com/en/
O3 - Toolbar: DiskView - {6A882320-BDD0-4ff4-BE3A-D8BAF82668E9} - C:\Program Files\Vyooh\DiskView\VizBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - Startup: VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
Combofix
#28
Posted 20 December 2006 - 12:40 PM
Hi, merchantz
Run Combofix and post the report.
Run Combofix and post the report.
#29
Posted 20 December 2006 - 01:03 PM
Unfortunately Combifix crashes my computer every time i use it! I'm lost!
#30
Posted 20 December 2006 - 04:28 PM
Hi, merchantz
Create a Startup List
file and extract its contents to the desktop. Once extracted, doubleclick on it and post the log it produces.
Create a Startup List
- Open HiJackThis
- Click on the "Config..." button on the bottom right
- Click on the tab "Misc Tools"
- Check off the 2 boxes next to the Box that says "Generate StartupList log"
- Click on the button "Generate StartupList log"
- Copy and past the StartupList from the notepad into your next post
file and extract its contents to the desktop. Once extracted, doubleclick on it and post the log it produces.
Edited by JSntgRvr, 20 December 2006 - 04:29 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users