Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Sgooter's Infected PC [RESOLVED]


  • This topic is locked This topic is locked

#16
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Matt,
This fresh post is coming from my wife's infected PC.
We really needed to access the internet with my wife's PC, so I did a system restore back to 22 Nov (at a point before we ran the scan on this PC using l2mifix).
Next, I applied your instructions at Post #13 regarding removal of Surfsidekick, which worked fine, and somehow our internet access has been restored. Why the internet access is now working is a mystery to me, but it's likely to be very obvious to your sharp eyes!

At any rate, here's a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:58 AM, on 11/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\dqcprop.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#17
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
Sgooter, by doing system restore, you put an infection back on that we had removed. But don't worry, we can get it off. You also have many more infections that we will deal with after this one is gone.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply, along with a new HJT log.

  • 0

#18
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Matt,
Here's the SpySweeper Log:

********
8:57 AM: | Start of Session, Wednesday, November 23, 2005 |
8:57 AM: Spy Sweeper started
8:57 AM: Sweep initiated using definitions version 574
8:57 AM: Starting Memory Sweep
8:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 AM: Found Adware: icannnews
8:58 AM: Detected running threat: C:\WINDOWS\system32\mols31.dll (ID = 125214)
8:58 AM: Detected running threat: C:\WINDOWS\system32\dqcprop.dll (ID = 125214)
8:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 AM: Memory Sweep Complete, Elapsed Time: 00:01:38
8:59 AM: Starting Registry Sweep
8:59 AM: Found Adware: surfsidekick
8:59 AM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
8:59 AM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
8:59 AM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
8:59 AM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
8:59 AM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
8:59 AM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
8:59 AM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
8:59 AM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
8:59 AM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
8:59 AM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
8:59 AM: Found Trojan Horse: trojan-downloader-conhook
8:59 AM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
8:59 AM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
8:59 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
8:59 AM: Found Adware: drsnsrch.com hijack
8:59 AM: HKU\S-1-5-21-2455820761-3905421916-3500560185-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
8:59 AM: HKU\S-1-5-21-2455820761-3905421916-3500560185-1005\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
8:59 AM: HKU\S-1-5-21-2455820761-3905421916-3500560185-1005\software\surfsidekick3\ (3 subtraces) (ID = 143412)
8:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:59 AM: Registry Sweep Complete, Elapsed Time:00:00:16
8:59 AM: Starting Cookie Sweep
8:59 AM: Found Spy Cookie: 2o7.net cookie
8:59 AM: pskapoor@2o7[2].txt (ID = 1957)
8:59 AM: Found Spy Cookie: websponsors cookie
8:59 AM: [email protected][2].txt (ID = 3665)
8:59 AM: Found Spy Cookie: abcsearch cookie
8:59 AM: pskapoor@abcsearch[1].txt (ID = 2033)
8:59 AM: Found Spy Cookie: yieldmanager cookie
8:59 AM: [email protected][2].txt (ID = 3751)
8:59 AM: Found Spy Cookie: adecn cookie
8:59 AM: pskapoor@adecn[2].txt (ID = 2063)
8:59 AM: Found Spy Cookie: adknowledge cookie
8:59 AM: pskapoor@adknowledge[1].txt (ID = 2072)
8:59 AM: Found Spy Cookie: hbmediapro cookie
8:59 AM: [email protected][2].txt (ID = 2768)
8:59 AM: Found Spy Cookie: specificclick.com cookie
8:59 AM: [email protected][2].txt (ID = 3400)
8:59 AM: Found Spy Cookie: adrevolver cookie
8:59 AM: pskapoor@adrevolver[2].txt (ID = 2088)
8:59 AM: pskapoor@adrevolver[3].txt (ID = 2088)
8:59 AM: Found Spy Cookie: falkag cookie
8:59 AM: [email protected][1].txt (ID = 2650)
8:59 AM: [email protected][1].txt (ID = 2650)
8:59 AM: Found Spy Cookie: ask cookie
8:59 AM: pskapoor@ask[1].txt (ID = 2245)
8:59 AM: Found Spy Cookie: azjmp cookie
8:59 AM: pskapoor@azjmp[1].txt (ID = 2270)
8:59 AM: Found Spy Cookie: bluestreak cookie
8:59 AM: pskapoor@bluestreak[2].txt (ID = 2314)
8:59 AM: Found Spy Cookie: centrport net cookie
8:59 AM: pskapoor@centrport[1].txt (ID = 2374)
8:59 AM: Found Spy Cookie: ru4 cookie
8:59 AM: [email protected][2].txt (ID = 3269)
8:59 AM: Found Spy Cookie: exitexchange cookie
8:59 AM: pskapoor@exitexchange[2].txt (ID = 2633)
8:59 AM: Found Spy Cookie: starware.com cookie
8:59 AM: [email protected][2].txt (ID = 3442)
8:59 AM: Found Spy Cookie: clickandtrack cookie
8:59 AM: [email protected][2].txt (ID = 2397)
8:59 AM: Found Spy Cookie: kmpads cookie
8:59 AM: pskapoor@kmpads[1].txt (ID = 2909)
8:59 AM: Found Spy Cookie: maxserving cookie
8:59 AM: pskapoor@maxserving[1].txt (ID = 2966)
8:59 AM: [email protected][1].txt (ID = 1958)
8:59 AM: Found Spy Cookie: mygeek cookie
8:59 AM: pskapoor@mygeek[1].txt (ID = 3041)
8:59 AM: Found Spy Cookie: overture cookie
8:59 AM: [email protected][1].txt (ID = 3106)
8:59 AM: Found Spy Cookie: questionmarket cookie
8:59 AM: pskapoor@questionmarket[1].txt (ID = 3217)
8:59 AM: Found Spy Cookie: realmedia cookie
8:59 AM: pskapoor@realmedia[1].txt (ID = 3235)
8:59 AM: Found Spy Cookie: statcounter cookie
8:59 AM: pskapoor@statcounter[1].txt (ID = 3447)
8:59 AM: Found Spy Cookie: trafficmp cookie
8:59 AM: pskapoor@trafficmp[2].txt (ID = 3581)
8:59 AM: Found Spy Cookie: tribalfusion cookie
8:59 AM: pskapoor@tribalfusion[1].txt (ID = 3589)
8:59 AM: Found Spy Cookie: valuead cookie
8:59 AM: pskapoor@valuead[1].txt (ID = 3626)
8:59 AM: Found Spy Cookie: redzip cookie
8:59 AM: [email protected][2].txt (ID = 3250)
8:59 AM: [email protected][1].txt (ID = 3442)
8:59 AM: Found Spy Cookie: adserver cookie
8:59 AM: [email protected][1].txt (ID = 2142)
8:59 AM: Found Spy Cookie: zedo cookie
8:59 AM: pskapoor@zedo[2].txt (ID = 3762)
8:59 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:59 AM: Starting File Sweep
9:00 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:00 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:00 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:00 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:00 AM: Found Adware: directrevenue-abetterinternet
9:00 AM: a0039829.exe (ID = 134935)
9:00 AM: a0039853.dll (ID = 140769)
9:00 AM: a0041068.dll (ID = 125214)
9:00 AM: a0039859.exe (ID = 134935)
9:00 AM: a0030235.exe (ID = 115260)
9:00 AM: a0030255.exe (ID = 135267)
9:00 AM: a0030258.exe (ID = 143034)
9:01 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:01 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:01 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:01 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:01 AM: a0039854.dll (ID = 140770)
9:01 AM: a0039852.exe (ID = 140768)
9:01 AM: a0039616.exe (ID = 134935)
9:01 AM: mols31.dll (ID = 125214)
9:01 AM: Found Adware: purityscan
9:01 AM: a0030236.exe (ID = 134977)
9:01 AM: a0039821.exe (ID = 134935)
9:01 AM: a0030256.dll (ID = 143036)
9:01 AM: a0030194.exe (ID = 134935)
9:01 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:01 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:01 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:01 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:01 AM: a0039887.exe (ID = 134935)
9:01 AM: a0036776.exe (ID = 143038)
9:01 AM: a0039904.exe (ID = 134935)
9:01 AM: a0030231.exe (ID = 134953)
9:01 AM: a0039973.dll (ID = 125214)
9:01 AM: a0039922.exe (ID = 134935)
9:02 AM: a0036688.exe (ID = 143038)
9:02 AM: a0034616.exe (ID = 134935)
9:02 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:02 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:02 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:02 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:02 AM: a0030257.exe (ID = 143038)
9:02 AM: a0034556.exe (ID = 134935)
9:02 AM: a0029114.exe (ID = 134935)
9:02 AM: a0029113.exe (ID = 134935)
9:02 AM: a0029175.exe (ID = 134935)
9:02 AM: a0038170.exe (ID = 143038)
9:02 AM: a0038248.exe (ID = 143038)
9:03 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 AM: Found Adware: look2me
9:03 AM: a0041157.dll (ID = 163672)
9:03 AM: a0036960.exe (ID = 134935)
9:03 AM: Found Adware: drsnsrch hijacker
9:03 AM: a0030259.exe (ID = 121121)
9:03 AM: a0039298.exe (ID = 134935)
9:03 AM: a0030368.exe (ID = 134935)
9:03 AM: a0030244.exe (ID = 134935)
9:03 AM: a0032394.exe (ID = 134935)
9:03 AM: a0030268.exe (ID = 134935)
9:03 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:03 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:03 AM: a0030267.exe (ID = 134935)
9:03 AM: a0030289.exe (ID = 134935)
9:03 AM: a0039892.dll (ID = 125214)
9:03 AM: a0032426.exe (ID = 134935)
9:03 AM: a0041087.dll (ID = 125214)
9:03 AM: a0034595.exe (ID = 134935)
9:03 AM: a0038231.exe (ID = 134935)
9:03 AM: a0032441.exe (ID = 134935)
9:03 AM: a0030209.exe (ID = 134935)
9:03 AM: a0041354.dll (ID = 125214)
9:03 AM: a0041124.dll (ID = 125214)
9:03 AM: a0031367.exe (ID = 134935)
9:03 AM: a0043971.dll (ID = 125214)
9:03 AM: a0032460.exe (ID = 134935)
9:03 AM: a0032480.exe (ID = 134935)
9:03 AM: a0035643.exe (ID = 134935)
9:03 AM: a0033532.exe (ID = 134935)
9:04 AM: a0033514.exe (ID = 134935)
9:04 AM: a0034580.exe (ID = 134935)
9:04 AM: a0034531.exe (ID = 134935)
9:04 AM: a0030260.dll (ID = 115632)
9:04 AM: a0036695.exe (ID = 134935)
9:04 AM: a0036759.exe (ID = 134935)
9:04 AM: a0038265.exe (ID = 134935)
9:04 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:04 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:04 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:04 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:04 AM: a0037002.exe (ID = 134935)
9:04 AM: a0036643.exe (ID = 134935)
9:04 AM: a0031383.exe (ID = 134935)
9:04 AM: a0032497.exe (ID = 134935)
9:04 AM: a0036710.exe (ID = 134935)
9:04 AM: a0036741.exe (ID = 134935)
9:04 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:04 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:04 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:04 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 AM: dqcprop.dll (ID = 125214)
9:05 AM: a0041496.dll (ID = 125214)
9:05 AM: a0041156.dll (ID = 125214)
9:05 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 AM: a0039633.exe (ID = 134935)
9:05 AM: sskknwrd.dll (ID = 77733)
9:05 AM: nztman.dll (ID = 163672)
9:05 AM: a0039596.exe (ID = 134935)
9:05 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:05 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:05 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:06 AM: a0041356.dll (ID = 125214)
9:06 AM: a0036809.exe (ID = 134935)
9:06 AM: a0038002.exe (ID = 134935)
9:06 AM: a0038019.exe (ID = 134935)
9:06 AM: a0038037.exe (ID = 134935)
9:06 AM: a0036835.exe (ID = 134935)
9:06 AM: a0036863.exe (ID = 134935)
9:06 AM: a0036887.exe (ID = 134935)
9:06 AM: a0040049.dll (ID = 125214)
9:06 AM: a0041355.dll (ID = 125214)
9:06 AM: a0039792.exe (ID = 134935)
9:06 AM: a0039784.exe (ID = 134935)
9:06 AM: a0043979.dll (ID = 125214)
9:06 AM: a0030243.exe (ID = 134935)
9:06 AM: a0039279.exe (ID = 134935)
9:06 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:06 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:06 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:06 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:06 AM: a0039348.exe (ID = 134935)
9:06 AM: a0040032.dll (ID = 125214)
9:06 AM: a0039332.exe (ID = 134935)
9:06 AM: a0036791.exe (ID = 134935)
9:06 AM: a0029094.exe (ID = 134935)
9:06 AM: a0039297.exe (ID = 134935)
9:06 AM: a0039368.exe (ID = 134935)
9:06 AM: a0038263.exe (ID = 134935)
9:06 AM: a0032514.exe (ID = 134935)
9:06 AM: a0036728.exe (ID = 134935)
9:06 AM: a0039426.exe (ID = 134935)
9:06 AM: a0034579.exe (ID = 134935)
9:06 AM: a0035616.exe (ID = 134935)
9:06 AM: a0036670.exe (ID = 134935)
9:07 AM: a0038176.exe (ID = 134935)
9:07 AM: a0036930.exe (ID = 134935)
9:07 AM: a0039388.exe (ID = 134935)
9:07 AM: a0039262.exe (ID = 134935)
9:07 AM: a0038212.exe (ID = 134935)
9:07 AM: a0039485.exe (ID = 134935)
9:07 AM: a0036910.exe (ID = 134935)
9:07 AM: a0039842.exe (ID = 134935)
9:07 AM: a0041102.dll (ID = 125214)
9:07 AM: a0038105.exe (ID = 134935)
9:07 AM: a0039404.exe (ID = 134935)
9:07 AM: a0039907.dll (ID = 125214)
9:07 AM: a0038055.exe (ID = 134935)
9:07 AM: upd210[1].exe (ID = 163220)
9:07 AM: a0038078.exe (ID = 134935)
9:07 AM: a0036876.exe (ID = 134935)
9:07 AM: a0039369.exe (ID = 134935)
9:07 AM: a0039925.dll (ID = 125214)
9:07 AM: a0038088.exe (ID = 134935)
9:07 AM: a0038130.exe (ID = 134935)
9:07 AM: a0039389.exe (ID = 134935)
9:07 AM: a0030178.exe (ID = 134935)
9:07 AM: a0038118.exe (ID = 134935)
9:07 AM: a0038150.exe (ID = 134935)
9:07 AM: a0039615.exe (ID = 134935)
9:07 AM: a0039951.dll (ID = 125214)
9:07 AM: a0039876.dll (ID = 140771)
9:07 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:07 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:07 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:07 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:07 AM: a0032383.exe (ID = 134935)
9:07 AM: a0039993.dll (ID = 125214)
9:07 AM: a0030252.exe (ID = 141106)
9:07 AM: a0040015.dll (ID = 125214)
9:07 AM: a0039647.exe (ID = 134935)
9:07 AM: a0041049.dll (ID = 125214)
9:07 AM: a0032410.exe (ID = 134935)
9:08 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:08 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:08 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:08 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:08 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:08 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:08 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:08 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 AM: backup.zip (ID = 125214)
9:09 AM: File Sweep Complete, Elapsed Time: 00:09:25
9:09 AM: Full Sweep has completed. Elapsed time 00:11:22
9:09 AM: Traces Found: 259
9:09 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:09 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:09 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:10 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:10 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:11 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:11 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:11 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:11 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:12 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:12 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:13 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:13 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:13 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:13 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:14 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:14 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:14 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:14 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:14 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:15 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:15 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:15 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:15 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:15 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:15 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:15 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:15 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:16 AM: Removal process initiated
9:16 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:16 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:16 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:16 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:17 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:17 AM: The Spy Communication shield has blocked access to: www.icannnews.com
9:17 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:17 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
9:17 AM: Quarantining All Traces: directrevenue-abetterinternet
9:17 AM: Quarantining All Traces: icannnews
9:17 AM: icannnews is in use. It will be removed on reboot.
9:17 AM: mols31.dll is in use. It will be removed on reboot.
9:17 AM: dqcprop.dll is in use. It will be removed on reboot.
9:17 AM: C:\WINDOWS\system32\mols31.dll is in use. It will be removed on reboot.
9:17 AM: C:\WINDOWS\system32\dqcprop.dll is in use. It will be removed on reboot.
9:17 AM: Quarantining All Traces: look2me
9:17 AM: Quarantining All Traces: purityscan
9:17 AM: Quarantining All Traces: surfsidekick
9:17 AM: Quarantining All Traces: trojan-downloader-conhook
9:17 AM: Quarantining All Traces: drsnsrch hijacker
9:17 AM: Quarantining All Traces: drsnsrch.com hijack
9:17 AM: Quarantining All Traces: 2o7.net cookie
9:17 AM: Quarantining All Traces: abcsearch cookie
9:17 AM: Quarantining All Traces: adecn cookie
9:17 AM: Quarantining All Traces: adknowledge cookie
9:17 AM: Quarantining All Traces: adrevolver cookie
9:17 AM: Quarantining All Traces: adserver cookie
9:17 AM: Quarantining All Traces: ask cookie
9:17 AM: Quarantining All Traces: azjmp cookie
9:17 AM: Quarantining All Traces: bluestreak cookie
9:17 AM: Quarantining All Traces: centrport net cookie
9:17 AM: Quarantining All Traces: clickandtrack cookie
9:17 AM: Quarantining All Traces: exitexchange cookie
9:17 AM: Quarantining All Traces: falkag cookie
9:17 AM: Quarantining All Traces: hbmediapro cookie
9:17 AM: Quarantining All Traces: kmpads cookie
9:17 AM: Quarantining All Traces: maxserving cookie
9:17 AM: Quarantining All Traces: mygeek cookie
9:17 AM: Quarantining All Traces: overture cookie
9:17 AM: Quarantining All Traces: questionmarket cookie
9:17 AM: Quarantining All Traces: realmedia cookie
9:17 AM: Quarantining All Traces: redzip cookie
9:17 AM: Quarantining All Traces: ru4 cookie
9:17 AM: Quarantining All Traces: specificclick.com cookie
9:17 AM: Quarantining All Traces: starware.com cookie
9:17 AM: Quarantining All Traces: statcounter cookie
9:17 AM: Quarantining All Traces: trafficmp cookie
9:17 AM: Quarantining All Traces: tribalfusion cookie
9:17 AM: Quarantining All Traces: valuead cookie
9:17 AM: Quarantining All Traces: websponsors cookie
9:17 AM: Quarantining All Traces: yieldmanager cookie
9:17 AM: Quarantining All Traces: zedo cookie
9:18 AM: Warning: Launched explorer.exe
9:18 AM: Warning: Quarantine process could not restart Explorer.
9:20 AM: Preparing to restart your computer. Please wait...
9:20 AM: Removal process completed. Elapsed time 00:03:52
********
8:55 AM: | Start of Session, Wednesday, November 23, 2005 |
8:55 AM: Spy Sweeper started
8:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:55 AM: Your spyware definitions have been updated.
8:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:55 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:55 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:56 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:56 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:56 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:56 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:57 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
8:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
8:57 AM: | End of Session, Wednesday, November 23, 2005 |


Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:51 AM, on 11/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#19
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
Alright! Let's continue!

Please print out these directions for use if/when you cannot access this page.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\SYSTEM32\awtqp.dll

  • Press Enter to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\SYSTEM32\pqtwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
    O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll

  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

If all goes well, we will have finished removing the most serious threats from your computer. Then, we can continue to remove the remainder of malware from your computer.

Matt
  • 0

#20
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Matt,
I should mention to you that for the past 2 weeks or so, each time I start up or restart this PC the following advisory window appears, in which I click OK and the PC continues in its start up sequence and all appears normal:

Title Bar of Window: HP AiO Device Objent Server
Contents of Window: Register Class Objects failed: hRes=0x80004015
The class is configured to run as a security ID different from the caller
Maximum retry attempts exceeded

I use a Hewlett-Packard G95 All-in-One printer, scanner, copier, fax on the home LAN. I believe the pop up advisory window is from malware.


Here's the log from the ActiveScan run:


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqp.dll
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\pskapoor\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF1AE267-0BD1-4208-BBB0-EA528D\5ED8F191-AA2B-432D-9C43-470317
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\pskapoor\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF1AE267-0BD1-4208-BBB0-EA528D\8FCFE8BF-E685-4389-A7E4-28B651
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\pskapoor\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF1AE267-0BD1-4208-BBB0-EA528D\DA6E60C9-7C71-44A7-9FCA-938E6C
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqp.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\j?vaw.exe
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051127-104805-716.dll
Virus:Trj/Mitglieder.FA Not disinfected Local Folders\Deleted Items[new__price.zip][20_price.exe]
Virus:Trj/Mitglieder.FO Not disinfected Local Folders\Deleted Items[The_new_prices.zip][5.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Mail delivery failed[mail_body.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Paris Hilton & Nicole Richie[downloadm.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Mail delivery failed[mail.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Your Password[reg_pass.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Paris Hilton & Nicole Richie[downloadm.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Mail delivery failed[mail.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\You_visit_illegal_websites[question_list.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Paris Hilton & Nicole Richie[downloadm.zip][File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Local Folders\Deleted Items\Mail_delivery_failed[mail_body.zip][File-packed_dataInfo.exe]


Here's the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:22 AM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here's the log from the Vundofix run:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\SYSTEM32\awtqp.dll

The second filepath entered was C:\WINDOWS\SYSTEM32\pqtwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'


Killing PID 212 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\SYSTEM32\awtqp.dll.
C:\WINDOWS\SYSTEM32\pqtwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Thanks and I hope you had a wonderful Thanksgiving holiday,
Sgooter
  • 0

#21
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
Ok, this is a little stubborn, let's try again.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Close Ewido, we will come back to it in a moment.

Open SpySweeper
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into a text file, and save that to the desktop.
You can now close SpySweeper

We need to make all files and folders VISIBLE:
  • Go to start>control panel>folder options>view (tab)
  • choose to "show hidden files and folders,"
  • uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok.
1. REBOOT into Safe Mode
2. Using Windows Explorer, navigate to the C:\Windows\System32 Folder.
3. Locate, and DELETE All files named pqtwa. They will have various extensions, such as:
  • ini
  • ini1
  • ini2
  • bak1
  • bak2
  • and so on.

Open Ewido and run a scan:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

REBOOT your system normally
Finally, run HijackThis, and place a check next to the following items (if present):
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll


Then, please rescan with HJT, and save a new log.

So, please reply with a new HJT log, the Ewido Report, and the SpySweeper session log.

Matt
  • 0

#22
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Matt,
When I examined Windows Explorer, I did not find any pqtwa files, but I did fine one awtqp.dll file which HJT seems to not be removing during the Scan and Fix Checked steps.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:51 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here's the Ewido Report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:17:05 PM, 11/28/2005
+ Report-Checksum: B6596379

+ Scan result:

:mozilla.7:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.11:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.50:C:\Documents and Settings\pskapoor\Application Data\Mozilla\Firefox\Profiles\tfl3dcq2.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\pskapoor\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup


::Report End

Here's the SpySweeper session log:

5:23 PM: | Start of Session, Monday, November 28, 2005 |
5:23 PM: Spy Sweeper started
5:23 PM: Sweep initiated using definitions version 574
5:23 PM: Starting Memory Sweep
5:24 PM: Memory Sweep Complete, Elapsed Time: 00:01:31
5:24 PM: Starting Registry Sweep
5:24 PM: Found Trojan Horse: trojan-downloader-conhook
5:24 PM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
5:24 PM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
5:24 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
5:24 PM: Registry Sweep Complete, Elapsed Time:00:00:17
5:24 PM: Starting Cookie Sweep
5:24 PM: Found Spy Cookie: 2o7.net cookie
5:24 PM: pskapoor@2o7[1].txt (ID = 1957)
5:24 PM: Found Spy Cookie: adknowledge cookie
5:24 PM: pskapoor@adknowledge[1].txt (ID = 2072)
5:24 PM: Found Spy Cookie: bannerspace cookie
5:24 PM: pskapoor@bannerspace[1].txt (ID = 2284)
5:24 PM: Found Spy Cookie: clickzs cookie
5:24 PM: [email protected][2].txt (ID = 2413)
5:24 PM: Found Spy Cookie: realmedia cookie
5:24 PM: pskapoor@realmedia[1].txt (ID = 3235)
5:24 PM: Found Spy Cookie: adserver cookie
5:24 PM: [email protected][1].txt (ID = 2142)
5:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:24 PM: Starting File Sweep
5:30 PM: Found Adware: look2me
5:30 PM: a0043994.dll (ID = 163672)
5:33 PM: File Sweep Complete, Elapsed Time: 00:08:51
5:33 PM: Full Sweep has completed. Elapsed time 00:10:41
5:33 PM: Traces Found: 16
5:47 PM: Removal process initiated
5:47 PM: Quarantining All Traces: look2me
5:47 PM: Quarantining All Traces: trojan-downloader-conhook
5:47 PM: Quarantining All Traces: 2o7.net cookie
5:47 PM: Quarantining All Traces: adknowledge cookie
5:47 PM: Quarantining All Traces: adserver cookie
5:47 PM: Quarantining All Traces: bannerspace cookie
5:47 PM: Quarantining All Traces: clickzs cookie
5:47 PM: Quarantining All Traces: realmedia cookie
5:48 PM: Removal process completed. Elapsed time 00:00:57
5:49 PM: Your spyware definitions have been updated.
5:50 PM: | End of Session, Monday, November 28, 2005

Thanks a bunch,
Sgooter
  • 0

#23
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
Ok, I think we'll get it this time. By the way, thanks for your patience. I know this has been many steps, but once we get rid of this particular infection, the rest should be much easier. :tazz:


1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Scan again with HJT, and place a check next to the following items:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll

Make sure all other windows are closed, and click the Fix Checked button. Then, close HJT.

3) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

4) Once in Safe Mode, please run Killbox.

5) Select "Delete on Reboot".

6) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\SYSTEM32\awtqp.dll

7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

8) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot. Once you get back into windows normally, rescan with HJT, and post a new log.

Matt
  • 0

#24
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Matt,
Steps 6, 7, and 8 of your instructions for running Killbox did not work exactly as written:
- Steps 6 and 7: I wasn't sure what "textbox" you were referring to and how to get to it, but your instructions sounded like it was intended to help me copy the file: C:WINDOWS\SYSTEM32\awtqp.dll
So, I just typed in the file name in the window of Killbox labeled "Full Path of File to Delete."
Step 8: with Delete on Reboot selected, I clicked on the red-and-white Delete File button, but nothing happened. That is, I did not get any prompts for confirming Delete on Reboot nor for any Pending Operations.

After waiting for about 3 minutes to see if anything was happening with the Killbox, I then exited Killbox, rebooted and ran HJT again, which still shows the presence of the awtqp.dll file, as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:49 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#25
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
Well Sgooter, I have to admit, this is puzzling. Let's try this again, and see if we can get Killbox working properly.

This time, I would like you to copy these directions, and paste them into a text file. That way, you will be able to copy and paste from the instructions.

Please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in Safe Mode, please run Killbox again.

Select "Replace on Reboot", and make sure you have selected "Use Dummy".
*Make sure you have these both selected*

Paste the following filepath into the filepath box"
C:\WINDOWS\SYSTEM32\awtqp.dll

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot. Once you get back into windows normally, scan again with HJT, and place a check next to the following items:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll


Make sure all other windows are closed, and click the Fix Checked button.

Then, reboot you computer, rescan with HJT, and post a new log.

Matt

Edited by Matt, 28 November 2005 - 09:59 PM.

  • 0

Advertisements


#26
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Matt,
I still believe that Killbox is not working correctly. This time, after selecting "Replace on Reboot" and "Use Dummy," I clicked the red-and-white delete file button. At this point I did receive a prompt to reboot, so I selected Yes. After Killbox went into its "Verifying the Registry/Files process, another advisory window popped up entitled: "PendingFileRenameOperations" and the contents of the window were: "PendingFileRenameOperations Registry Data has been Removed by External Processes!"

Here's the lates HJT log, still showing the awtqp.dll infections:

Logfile of HijackThis v1.99.1
Scan saved at 11:20:35 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\imapi.exe
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Is it erroneus or dangerous to just go into Windows Explorer and delete C:\windows\system32\awtqp.dll ?
  • 0

#27
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
Alright, we'll try something else again. Don't worry, we will eventually get this. My superior is currently also looking into this as it shouldn't be this hard to remove.

Please reboot your computer into Safe Mode.

When you are at the logon screen, log into the account called Administrator There shouldn't be a password for this account unless you set one.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....




  • At this point press enter one time.



  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:




  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\SYSTEM32\awtqp.dll


  • Press Enter to continue with the fix.




  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\SYSTEM32\pqtwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:[list]

    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
    O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll

Now reboot your computer normally.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#28
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Matt,
I'm located on the East Coast, so this will be my last reply post for this evening.

Here's the ActiveScan Report:


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqp.dll
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\awtqp.dll
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\pskapoor\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF1AE267-0BD1-4208-BBB0-EA528D\5ED8F191-AA2B-432D-9C43-470317
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\pskapoor\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF1AE267-0BD1-4208-BBB0-EA528D\8FCFE8BF-E685-4389-A7E4-28B651
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\pskapoor\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF1AE267-0BD1-4208-BBB0-EA528D\DA6E60C9-7C71-44A7-9FCA-938E6C
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqp.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\j?vaw.exe
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051127-104805-716.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-202524-473.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-202644-495.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-202806-892.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-202830-938.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-214202-953.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-215221-374.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051128-231815-946.dll
Spyware:Spyware/Virtumonde Not disinfected D:\HiJack This\backups\backup-20051129-000758-200.dll

Here's the Vundofix report:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\SYSTEM32\awtqp.dll

The second filepath entered was C:\WINDOWS\SYSTEM32\pqtwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 692 'explorer.exe'
Killing PID 692 'explorer.exe'


Killing PID 212 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\SYSTEM32\awtqp.dll.
C:\WINDOWS\SYSTEM32\pqtwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Here's the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:43:54 AM, on 11/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
D:\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pskapoor\Application Data\Mozilla\Profiles\default\ijku3ppn.slt\prefs.js)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vvx] C:\WINDOWS\System32\j?vaw.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Reminders.lnk = D:\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again, and I will be online again tomorrow evening - East Coast time.
  • 0

#29
Sgooter

Sgooter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Matt,
When I ran ActiveScan should I have also taken steps to disinfect/remove the problem files when prompted during the scan, such as for awtqp.*?
Your instructions did not say to disinfect anything so I didn't do it. I only ran the scan function of ActiveScan.
Thanks,
Sgooter
  • 0

#30
Matt

Matt

    Infected with AwesomeWare

  • Member
  • PipPipPip
  • 606 posts
For this to even work, You will need a full version XP CD in order to do this fix. A recovery CD like you get with many OEM machines (XP already installed) will not work. If you only have the recovery disk, do you know of anyone who has the "real" XP CD who would let you borrow it?

Print these instructions out and make sure everything is entered exactly.

First you need to create a dummy file.
Using Windows Explorer, open the C:\windows\system32 directory. Right click an open space and go to New > Text Document.
When Notepad opens, go up to File > Save As. Click the drop-down box to change the "Save As Type" to "All Files".
Name the text file awtqp.old and save it in the system32 directory.
Close all windows and programs.
Open the cd tray, slip in the XP disk and reboot.
The machine will need to have boot from cd first enabled in the BIOS. Most are already.
Upon boot up, watch the screen for a 'Press any key to boot from cd' and press any key
Setup will transfer files and stop at an options screen. Choose R for recovery console.
You will be prompted for the Administrator password. If none was set, press enter.
You will be offered which installation to start, eg;
1. C:\Windows
Press 1 and enter.
You will arrive at a C:\Windows prompt.
Type:

cd c:\windows\system32

hit enter.

Now to remove any attributes from and delete the file, then rename the dummy.

Type and hit enter after each line.

attrib -r awtqp.dll
attrib -h awtqp.dll
attrib -s awtqp.dll
del awtqp.dll
rename awtqp.old awtqp.dll
exit


The machine will restart. Either take the cd out right away or do not touch any keys until you get to the Welcome screen so that it skips the boot from cd option.

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtqp.dll
O20 - Winlogon Notify: awtqp - C:\WINDOWS\SYSTEM32\awtqp.dll


Close HijackThis.

Reboot and post a new HiJackThis log.

Matt
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP