Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora Pop-Ups

Started by evanfry , May 09 2005 04:41 AM

Please log in to reply

#1
evanfry

Posted 09 May 2005 - 04:41 AM

Member

Member
10 posts

Hello,

I recently started getting these pop ups from this "aurora" thing. I have ad-aware and spy doctor already and I tried using these programs to get rid of the problem, which didn't work. I have rebooted my system since then. I read some of the other posts dealing with aurora and they all instruct one to download HijackThis, which I did. The log is pasted below:

Logfile of HijackThis v1.99.1
Scan saved at 3:13:14 AM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\rwhmjc.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\EVANFR~1\LOCALS~1\Temp\Rar$EX04.466\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program

Files\CONFLICT.2\lexbar.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet

Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet

Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program

Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nnqjaa] c:\windows\system32\rwhmjc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mpa: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akama...meInstaller.exe
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -

http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton

AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation -

C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner -

C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe"

/Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0"

/RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation -

C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program

Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway

/RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway"

/DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program

Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer

/DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program

Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP

/RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program

Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

I would really appreciate your help. Thanks for your time.

Evan

Edited by evanfry, 09 May 2005 - 06:46 PM.

#2
rstones12

Posted 10 May 2005 - 07:31 PM

Malware Expert

Retired Staff
3,731 posts

evanfry,

First a couple of things:
You are currently running HijackThis from a temporary folder. Please create a permanent folder on your C:\ drive and rename it something you will remember, such as C:\HJT. Move hijackthis.exe to that folder and run it from that location from now on.

Also, open notepad and uncheck wordwrap from the Format Menu.

Next

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

Scan with HJT and place a checkmark next to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except HJT then click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Thanks,
rstones12

#3
evanfry

Posted 13 May 2005 - 04:50 PM

Member

Topic Starter
Member
10 posts

I followed your instructions exactly as you said. I put HJT in its own folder on the C drive. I copied the text and put it into a file named remove. I downloaded ewido as well. I restarted the computer and put it into safe mode and then opened the file named remove and then ran ewido. It ran until it was 85% done and then I got an error message sayin that the program needed to close. I ran it again and the same thing happened. After that I just gave up on it so I was wondering if you could help me with this problem?

Thanks,

Evan

#4
rstones12

Posted 13 May 2005 - 11:48 PM

Malware Expert

Retired Staff
3,731 posts

evanfry,

Please post back a new HJT log by using Add Reply

Thanks,
rstones12

#5
evanfry

Posted 14 May 2005 - 09:01 PM

Member

Topic Starter
Member
10 posts

rstones12,

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:56:42 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\phrikh.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iwmxtd] c:\windows\system32\phrikh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mpa: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

thanks,

Evan

#6
rstones12

Posted 17 May 2005 - 02:53 PM

Malware Expert

Retired Staff
3,731 posts

evanfry,
There has been an update to the fix, please follow these instructions.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#7
evanfry

Posted 21 May 2005 - 02:41 AM

Member

Topic Starter
Member
10 posts

Rstones12,

It took me a while to find the Nail program because the link wasn't working, but I found it on the site and downloaded it. Anyways I did as you instructed and here are the logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:24:13 AM, 5/21/2005
+ Report-Checksum: DB9051B4

+ Date of database: 5/21/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 68074
+ Speed: 48.19 Files/Second
+ Infected files: 273
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@atdmt[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@dcsi5li0l4twkfngxulmkxj49_6k2e[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@fastclick[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@hitbox[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@overture[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\[bleep] Screensaver.scr -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\Serials.txt.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\WinAmp 6 New!.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\SolidWorks Shared\XXX hardcore images.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\Sony Shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\Sony Shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Sony Shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\Symantec Shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\Symantec Shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Common Files\xing shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Common Files\xing shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\bbfe\instantshare\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Hewlett-Packard\Digital Imaging\hp psc 1200 series\Tour\img_shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\MBKWBar\IEToolBar.dll -> Spyware.MBKWBar.a -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\WKSHARED\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Microsoft Works\Works Source\COMMON\MSSHARED\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Movie Maker\Shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Movie Maker\Shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\DVgate Plus\SonyDVSharedLibrary\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\Program Files\Sony\PictureGear Studio\SharedData\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\enhtb.exe -> Trojan.Imiserv.c -> Ignored
C:\WINDOWS\ime\shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\WINDOWS\ime\shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\ime\shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\pgsfjdqjae.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\remtm3.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\ACDSee 9.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Adobe Photoshop 9 fuââ.exe -> Worm.Bagle.au -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Ahead Nero 7.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\KAV 5.0 -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Opera 8 New!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\[bleep] Screensaver.scr -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Serials.txt.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\WinAmp 6 New!.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Shared\XXX hardcore images.exe -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\ewerfw.exe -> Trojan.Glieder -> Ignored
C:\WINDOWS\system32\iiqnerz.exe -> Trojan.Agent.cp -> Ignored
C:\WINDOWS\system32\windll.exeopen -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\windll.exeopenopen -> Worm.Bagle.an -> Ignored
C:\WINDOWS\system32\wingo.exe -> Worm.Bagle.au -> Ignored
C:\WINDOWS\system32\wwnrot.exe -> Trojan.Glieder -> Ignored
C:\WINDOWS\system32\_dll.exe -> Trojan.Glieder -> Ignored
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Ignored
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Ignored

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 1:27:03 AM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [grluarm] c:\windows\system32\iiqnerz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mpa: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

#8
rstones12

Posted 21 May 2005 - 08:34 PM

Malware Expert

Retired Staff
3,731 posts

evanfry,

Please download Stinger
Remove anything it finds.

Please run at least one of these online scans, allow it to delete anything it finds:
You may have to select the auto-fix option prior to scanning, it should be a selection box on the screen. If you are a dial-up user just do one, this can take some time.
If you are a broadband user, I would suggest at least 2 of the 3. One extra scan is most often times enough.TrendMicro HouseCall
BitDefender On-Line Virus Scan
Panda ActiveScan
Please make a note of anything that wasn't or couldn't be fixed.
Reboot your machine when finished.

Post back a new HJT log by using Add Reply

Thanks,
rstones12

#9
evanfry

Posted 22 May 2005 - 03:30 AM

Member

Topic Starter
Member
10 posts

Hey rstones12,

I ran the S-T-I-N-G-E-R program and it couldn't remove one of the infections. I also ran the housecall program and the Panda ActiveScan. I have included the log of the activescan below the HJT log. I was wondering why the new HJT log still has the "F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe" line? I clicked "fix checked" last time. Also, Aurora is still popping up.

Logfile of HijackThis v1.99.1
Scan saved at 2:20:34 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mpa: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

and here is the Panda ActiveScan log:

Incident Status Location

Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/Transponder No disinfected c:\windows\system32\jxobcsg.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\DOCUME~1\EVANFR~1\LOCALS~1\Temp\THI*.tmp
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\nail.exe
Adware:Adware/MBKWBar No disinfected C:\Program Files\MBKWBar\IEToolBar.dll
Adware:Adware/AdSquash No disinfected C:\Documents and Settings\Evan Freiburg\Local Settings\Temp\offerp01.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Evan Freiburg\Local Settings\Temp\satmat.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Evan Freiburg\Local Settings\Temp\THI3732.tmp\adremtm3.cab[remtm3.exe]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Evan Freiburg\Local Settings\Temp\THI51ED.tmp\adremtm3.cab[remtm3.exe]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Evan Freiburg\Local Settings\Temp\THI52A.tmp\adremtm3.cab[remtm3.exe]
Adware:Adware/MBKWBar No disinfected C:\Program Files\MBKWBar\IEToolBar.dll
Adware:Adware/MBKWBar No disinfected C:\Program Files\MBKWBar\MBKWBar.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Bolger.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\jdkcwr.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\remtm3.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\jxobcsg.exe
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\wupdt.exe

thanks,

Evan

#10
rstones12

Posted 23 May 2005 - 09:38 AM

Malware Expert

Retired Staff
3,731 posts

evanfry,
OK, we need to do this again. Please follow the intructions below.
Since you have downloaded Ewido, make sure to update it first then proceed with the rest of the intructions.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
Nailfix.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
SafeMode Help

Once in SafeMode, please double-click on Nailfix.cmd.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Now scan with HijackThis and place a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)

O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

Close all open windows except for HijackThis and click Fix Checked

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan by using Add Reply

Thanks,
rstones12

#11
evanfry

Posted 27 May 2005 - 01:15 AM

Member

Topic Starter
Member
10 posts

So I did as you said and I haven't got an Aurora Pop-up yet so (knock on wood) I think this attempt worked. Here is the ewido scan log and the HJT log:

EWIDO:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:46:45 PM, 5/26/2005
+ Report-Checksum: 178E4DE0

+ Date of database: 5/27/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 47375
+ Speed: 33.81 Files/Second
+ Infected files: 26
+ Removed files: 26
+ Files put in quarantine: 26
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@dcsi5li0l4twkfngxulmkxj49_6k2e[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan freiburg@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Evan Freiburg\Cookies\evan [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\MBKWBar\IEToolBar.dll -> Spyware.MBKWBar.a -> Cleaned with backup
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\enhtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\pgsfjdqjae.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\remtm3.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\ewerfw.exe -> Trojan.Glieder -> Cleaned with backup
C:\WINDOWS\system32\iqlufjq.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\wwnrot.exe -> Trojan.Glieder -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup

::Report End

HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:35 PM, on 5/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

thanks,

Evan

P.S. I'll let you know if there are any more auroras

#12
rstones12

Posted 27 May 2005 - 01:26 AM

Malware Expert

Retired Staff
3,731 posts

evanfry,
Thanks for the log, it looks like the last HJT log was done in SafeMode.
Can you post a new HJT log in normal mode.

Thanks,
rstones12

#13
evanfry

Posted 27 May 2005 - 10:39 AM

Member

Topic Starter
Member
10 posts

rstones12,

Here is the new HJT log in regular mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:38:45 AM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\j2re1.4.2_01\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

Thanks,

Evan

#14
rstones12

Posted 27 May 2005 - 07:50 PM

Malware Expert

Retired Staff
3,731 posts

evanfry,

OK things are looking better, we still need to do a few things yet.
Please read through these instructions before proceeding.

Download CleanUp
Install the program, dont run it yet, we will later.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

Unzip/extract the files inside to a folder on your desktop.
Dont run it yet.

Scan with HJT and place a checkmark next to the following items:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all browsers and open windows except HJT and the click the Fix Checked button.

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot your system.

Open the folder and run FindIt's.bat and wait for notepad to open a text file. It may take awhile so please be patient ...
Then post the results here along with a new HJT log by using Add Reply

Thanks,
rstones12

#15
evanfry

Posted 28 May 2005 - 05:12 AM

Member

Topic Starter
Member
10 posts

rstones12,

Here is the textfile from findits:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 05/28/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 4025-28E8

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 4025-28E8

Directory of C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»».

I also have a new HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 4:10:45 AM, on 5/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

Thanks,

Evan

P.S. I especially liked the sound effects from the clean up program.