SurfSideKick 3 removal help

[Bob_66]

Hi,

I've found SurfSideKick 3 our Sony Vaio PCG-K215M laptop, which won't let me delete it.

It was first discovered using Ad-Aware SE Personal, which flagged up a new criticial object before the laptop automatically rebooted - this happens each time we try to run Ad-Aware.

I also have a program called Add-Remove Pro, which lists the SurfSideKick 3 program, and when I click to uninstall it I'm prompted with a dialog box which asks me to enter a code to say it's a "user initiated" decision to remove it.
I didn't quite trust the message, so I'm here hoping someone could help me remove it, or perhaps advise me as to whether it's safe to try and uninstall it by entering the prompted code.

I have run a number of scans (a free online one at Trend Micro, which, when I tried to clean the SSK3 program, caused an error in mozilla and kicked me out).

I should also mention that my brother looked at previous posts and d/l some of the suggested s/ware, namely ewido anti-spyware, and also tried to follow a guide for removing SSK3, but this did not work.
So, there are likely some changes already made through hijackthis which, as an analyst, you may not have expected to see - I hope this hasn't made matters worse for ourseleves.

I'd greatly appreciate any help in removing this program (it is not causing any undue problems - we only get the pop-ups if we use IE, which we don't usually), but as it's a program that's not supposed to be present, I'd very much like to remove it.

Thanks in advance, and apologies if our meddling before posting has made your lives harder!

Here's my latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:58:25, on 16/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: repairs302972988.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[sUBs]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Do this first ...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Save that log on Desktop. We shall need to run Combofix again later & I dont it to be overwritten

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Do not proceed with the rest of the fix if you fail to run combofix


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download Dr.Web CureIt & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - mcafeeWALLP
2. Double-click on it to open the Properties dialog.
   - Change the Startup type to Disabled & then click on the Apply button
   - Stop the service by using the Stop button.
3. Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
4. In the popup box that appears, copy/paste mcafeeWALLP
5. Click on the OK button & answer No if prompted to reboot

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders:

• C:\windows\banmanpro.exe
  C:\WINDOWS\mcafeeWALLX.exe

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


Run Combofix again & post the 2nd combofix log

In your next post, please include fresh logs from:

• HiJackThis log
• ComboFix (2 logs)
• Dr.Web
• Online Scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Bob_66]

Hi,

Thanks for the reply.

There were several things that I was unable to do from your request list:

1) O23 - Service: mcafeeWALLP - Unknown owner - C:\WINDOWS\mcafeeWALLX.exe (file missing)

This was not listed in the Hijackthis window, so could not be checked for fixing

2) C:\windows\banmanpro.exe
C:\WINDOWS\mcafeeWALLX.exe

Neither file could be found (hopefully because they'd been successfully deleted?)

3) Panda ActiveScan would not get beyond the d/l of the ActiveX screen (I have already used this service - does this prevent a user from running an additional scan free of charge?)

Sorry if this doesn't help matters, but here are the logs I did manage to generate:

Hijackthis Post Clean:

Logfile of HijackThis v1.99.1
Scan saved at 20:32:00, on 16/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ComboFix Pre Clean

Start Time= 16/07/2006 18:19:07.09
Running from: C:\Documents and Settings\Noel\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs302972988.dll
C:\Documents and Settings\Noel\Application Data\Sskknwrd.dll
C:\Documents and Settings\Noel\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



18:21:47.25
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload.dat
C:\WINDOWS\drsmartloadb1.dat
C:\WINDOWS\teller2.chk


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-16 18:17 <DIR> C:\Program Files\mozilla firefox
2006-07-16 15:08 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-16 14:39 <DIR> C:\Program Files\google
2006-07-16 12:47 <DIR> C:\Program Files\cleanup!
2006-07-16 11:43 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-16 11:42 <DIR> C:\Program Files\xoftspy
2006-07-16 11:42 <DIR> C:\Program Files\common files
2006-07-16 11:31 <DIR> C:\Program Files\ipod
2006-07-16 11:31 <DIR> C:\Program Files\installshield installation information
2006-07-16 11:25 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-16 11:23 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-16 11:23 4,992 C:\WINDOWS\system32\drivers\avgtdi.sys
2006-07-16 11:23 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-16 11:23 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-16 11:23 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-16 11:23 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-16 11:23 <DIR> C:\Program Files\grisoft
2006-07-16 11:23 <DIR> C:\Documents and Settings\Noel\Application Data\microsoft
2006-07-16 11:23 <DIR> C:\Documents and Settings\Noel\Application Data\avg7
2006-07-16 11:22 <DIR> C:\Program Files\add remove pro
2006-07-15 17:33 <DIR> C:\Program Files\linksys
2006-07-15 17:33 <DIR> C:\Program Files\funk software
2006-07-15 17:33 <DIR> C:\Program Files\Common Files\funk software
2006-07-10 22:11 <DIR> C:\Program Files\msn messenger
2006-07-10 22:11 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-10 21:48 <DIR> C:\Documents and Settings\Noel\Application Data\macromedia
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-02 18:29 <DIR> C:\Documents and Settings\Noel\Application Data\mozilla
2006-06-02 18:28 <DIR> C:\Documents and Settings\Noel\Application Data\talkback
2006-05-13 17:42 <DIR> C:\Documents and Settings\Noel\Application Data\apple computer
2006-05-13 17:35 <DIR> C:\Program Files\divx
2006-05-13 17:11 <DIR> C:\Program Files\crystal player
2006-05-13 17:06 <DIR> C:\Program Files\sony
2006-05-13 16:50 <DIR> C:\Documents and Settings\Noel\Application Data\lavasoft
2006-05-13 16:49 <DIR> C:\Program Files\lavasoft
2006-04-19 21:09 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-04-19 21:09 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-04-19 21:09 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-04-19 21:09 619,156 C:\WINDOWS\system32\divx.dll
2006-04-18 23:31 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-04-18 23:31 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-04-18 23:30 90,112 C:\WINDOWS\system32\dpl100.dll
2006-04-18 23:30 593,920 C:\WINDOWS\system32\dpugui11.dll
2006-04-18 23:30 57,344 C:\WINDOWS\system32\dpv11.dll
2006-04-18 23:30 536,576 C:\WINDOWS\system32\divxsm.exe
2006-04-18 23:30 53,248 C:\WINDOWS\system32\dpugui10.dll
2006-04-18 23:30 344,064 C:\WINDOWS\system32\dpus11.dll
2006-04-18 23:30 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-04-18 23:30 294,912 C:\WINDOWS\system32\dpu11.dll
2006-04-18 23:30 294,912 C:\WINDOWS\system32\dpu10.dll
2006-04-18 23:30 200,704 C:\WINDOWS\system32\dtu100.dll
2006-01-08 16:06 <DIR> C:\Program Files\yazzle sudoku
2006-01-08 16:05 <DIR> C:\Program Files\sami
2006-01-08 16:05 <DIR> C:\Program Files\Common Files\vcclient
2006-01-08 16:05 <DIR> C:\Program Files\Common Files\ozow
2006-01-08 15:15 <DIR> C:\Program Files\microsoft visual studio
2006-01-08 15:15 <DIR> C:\Program Files\Common Files\designer
2006-01-08 15:14 <DIR> C:\Program Files\Common Files\system
2006-01-08 15:13 <DIR> C:\Program Files\microsoft office
2006-01-08 15:13 <DIR> C:\Program Files\microsoft frontpage
2006-01-08 15:13 <DIR> C:\Documents and Settings\Noel\Application Data\microsoft web folders
2006-01-08 14:54 <DIR> C:\Program Files\zone labs
2006-01-08 14:43 <DIR> C:\Program Files\spywareblaster
2006-01-08 14:36 <DIR> C:\Program Files\microsoft works
2006-01-08 14:33 <DIR> C:\Program Files\boots f2cd
2006-01-07 15:07 <DIR> C:\Program Files\quicktime
2006-01-07 15:06 <DIR> C:\Program Files\itunes
2005-10-26 18:30 <DIR> C:\Documents and Settings\Noel\Application Data\intervideo
2005-10-24 20:08 <DIR> C:\Program Files\dvd shrink
2005-10-24 20:08 <DIR> C:\Program Files\dvd decrypter
2005-10-19 22:21 <DIR> C:\Documents and Settings\Noel\Application Data\ahead
2005-10-19 22:06 <DIR> C:\Program Files\windows media player
2005-10-19 22:04 <DIR> C:\Program Files\ahead
2005-10-19 22:03 <DIR> C:\Program Files\Common Files\ahead
2005-10-19 19:24 <DIR> C:\Documents and Settings\Noel\Application Data\cyberlink
2005-10-19 19:19 <DIR> C:\Program Files\adobe
2005-10-19 19:19 <DIR> C:\Documents and Settings\Noel\Application Data\intertrust
2005-08-20 17:26 <DIR> C:\Program Files\canon
2005-07-22 20:48 <DIR> C:\Documents and Settings\Noel\Application Data\drag'n drop cd+dvd
2005-07-22 20:13 <DIR> C:\Program Files\Common Files\sony shared
2005-07-22 20:02 <DIR> C:\Program Files\moodlogic
2005-07-22 19:56 <DIR> C:\Program Files\Common Files\adobe
2005-07-22 19:49 <DIR> C:\Program Files\Common Files\installshield
2005-07-22 19:43 <DIR> C:\Program Files\intervideo
2004-05-17 19:36 <DIR> C:\Program Files\outlook express
2004-05-17 19:36 <DIR> C:\Program Files\internet explorer
2004-05-17 19:30 <DIR> C:\Program Files\netmeeting
2004-04-15 02:22 <DIR> C:\Documents and Settings\Noel\Application Data\sony corporation
2004-04-13 13:51 <DIR> C:\Documents and Settings\Noel\Application Data\adobe
2004-04-13 13:43 <DIR> C:\Documents and Settings\Noel\Application Data\symantec
2004-04-13 13:42 <DIR> C:\Documents and Settings\Noel\Application Data\sun
2004-04-13 13:41 <DIR> C:\Program Files\java
2004-04-13 13:41 <DIR> C:\Program Files\Common Files\java
2004-04-13 09:15 <DIR> C:\Program Files\lanexpress
2004-04-13 09:09 <DIR> C:\Program Files\ati technologies
2004-04-12 17:42 <DIR> C:\Program Files\conexant
2004-04-12 17:42 <DIR> C:\Program Files\apoint
2004-04-12 17:39 <DIR> C:\Program Files\Common Files\speechengines
2004-04-12 17:39 <DIR> C:\Program Files\Common Files\odbc
2004-04-12 17:21 <DIR> C:\Program Files\uninstall information
2004-04-12 16:57 <DIR> C:\Program Files\movie maker
2004-04-12 16:50 <DIR> C:\Program Files\xerox
2004-04-12 16:50 <DIR> C:\Documents and Settings\Noel\Application Data\identities
2004-04-12 16:48 <DIR> C:\Program Files\online services
2004-04-12 16:47 <DIR> C:\Program Files\complus applications
2004-04-12 16:47 <DIR> C:\Program Files\Common Files\services
2004-04-12 16:47 <DIR> C:\Program Files\Common Files\mssoap
2004-04-12 16:46 <DIR> C:\Program Files\windowsupdate
2004-04-12 16:46 <DIR> C:\Program Files\msn
2004-04-12 16:45 <DIR> C:\Program Files\windows nt
2004-04-12 16:45 <DIR> C:\Program Files\msn gaming zone
2004-04-12 16:45 <DIR> C:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-16 14:42 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-16 14:42 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-16 13:44 468,766,720 C:\hiberfil.sys
2006-07-16 11:23 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-16 11:23 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-15 17:33 94,208 C:\WINDOWS\system32\W32N50CT.dll
2006-07-15 17:33 17,142 C:\WINDOWS\system32\CBTNDIS5.sys
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"VAIO Update 2"="\"C:\\Program Files\\sony\\vaio update 2\\VAIOUpdt.exe\" /Stationary"
"SonyPowerCfg"="C:\\Program Files\\sony\\vaio power management\\SPMgr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJava5.0"="C:\\WINDOWS\\TEMP\\IXP000.TMP\\JAVASUN.EXE"
"banmanpro"="C:\\windows\\banmanpro.exe"
"drsmartloadb"="c:\\\\drsmartloadb.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="\\"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ozow"="C:\\PROGRA~1\\COMMON~1\\ozow\\ozowm.exe"
"Iinl"="\"C:\\Program Files\\sami\\emia.exe\" -vt yazr"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ozow"="C:\\PROGRA~1\\COMMON~1\\ozow\\ozowm.exe"
"Iinl"="\"C:\\Program Files\\sami\\emia.exe\" -vt yazr"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: 16/07/2006 18:22:03.78
ComboFix ver 06.07.16.2 - This logfile is located at C:\ComboFix.txt

ComboFix.txt


ComboFix Post Clean

Start Time= 16/07/2006 20:30:01.87
Running from: C:\Documents and Settings\Noel\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-16 20:22 <DIR> C:\Program Files\mozilla firefox
2006-07-16 15:08 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-16 14:39 <DIR> C:\Program Files\google
2006-07-16 12:47 <DIR> C:\Program Files\cleanup!
2006-07-16 11:43 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-16 11:42 <DIR> C:\Program Files\xoftspy
2006-07-16 11:42 <DIR> C:\Program Files\common files
2006-07-16 11:31 <DIR> C:\Program Files\ipod
2006-07-16 11:31 <DIR> C:\Program Files\installshield installation information
2006-07-16 11:25 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-16 11:23 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-16 11:23 4,992 C:\WINDOWS\system32\drivers\avgtdi.sys
2006-07-16 11:23 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-16 11:23 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-16 11:23 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-16 11:23 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-16 11:23 <DIR> C:\Program Files\grisoft
2006-07-16 11:23 <DIR> C:\Documents and Settings\Noel\Application Data\microsoft
2006-07-16 11:23 <DIR> C:\Documents and Settings\Noel\Application Data\avg7
2006-07-16 11:22 <DIR> C:\Program Files\add remove pro
2006-07-15 17:33 <DIR> C:\Program Files\linksys
2006-07-15 17:33 <DIR> C:\Program Files\funk software
2006-07-15 17:33 <DIR> C:\Program Files\Common Files\funk software
2006-07-10 22:11 <DIR> C:\Program Files\msn messenger
2006-07-10 22:11 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-10 21:48 <DIR> C:\Documents and Settings\Noel\Application Data\macromedia
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-02 18:29 <DIR> C:\Documents and Settings\Noel\Application Data\mozilla
2006-06-02 18:28 <DIR> C:\Documents and Settings\Noel\Application Data\talkback
2006-05-13 17:42 <DIR> C:\Documents and Settings\Noel\Application Data\apple computer
2006-05-13 17:35 <DIR> C:\Program Files\divx
2006-05-13 17:11 <DIR> C:\Program Files\crystal player
2006-05-13 17:06 <DIR> C:\Program Files\sony
2006-05-13 16:50 <DIR> C:\Documents and Settings\Noel\Application Data\lavasoft
2006-05-13 16:49 <DIR> C:\Program Files\lavasoft
2006-04-19 21:09 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-04-19 21:09 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-04-19 21:09 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-04-19 21:09 619,156 C:\WINDOWS\system32\divx.dll
2006-04-18 23:31 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-04-18 23:31 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-04-18 23:30 90,112 C:\WINDOWS\system32\dpl100.dll
2006-04-18 23:30 593,920 C:\WINDOWS\system32\dpugui11.dll
2006-04-18 23:30 57,344 C:\WINDOWS\system32\dpv11.dll
2006-04-18 23:30 536,576 C:\WINDOWS\system32\divxsm.exe
2006-04-18 23:30 53,248 C:\WINDOWS\system32\dpugui10.dll
2006-04-18 23:30 344,064 C:\WINDOWS\system32\dpus11.dll
2006-04-18 23:30 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-04-18 23:30 294,912 C:\WINDOWS\system32\dpu11.dll
2006-04-18 23:30 294,912 C:\WINDOWS\system32\dpu10.dll
2006-04-18 23:30 200,704 C:\WINDOWS\system32\dtu100.dll
2006-01-08 16:06 <DIR> C:\Program Files\yazzle sudoku
2006-01-08 16:05 <DIR> C:\Program Files\sami
2006-01-08 16:05 <DIR> C:\Program Files\Common Files\vcclient
2006-01-08 16:05 <DIR> C:\Program Files\Common Files\ozow
2006-01-08 15:15 <DIR> C:\Program Files\microsoft visual studio
2006-01-08 15:15 <DIR> C:\Program Files\Common Files\designer
2006-01-08 15:14 <DIR> C:\Program Files\Common Files\system
2006-01-08 15:13 <DIR> C:\Program Files\microsoft office
2006-01-08 15:13 <DIR> C:\Program Files\microsoft frontpage
2006-01-08 15:13 <DIR> C:\Documents and Settings\Noel\Application Data\microsoft web folders
2006-01-08 14:54 <DIR> C:\Program Files\zone labs
2006-01-08 14:43 <DIR> C:\Program Files\spywareblaster
2006-01-08 14:36 <DIR> C:\Program Files\microsoft works
2006-01-08 14:33 <DIR> C:\Program Files\boots f2cd
2006-01-07 15:07 <DIR> C:\Program Files\quicktime
2006-01-07 15:06 <DIR> C:\Program Files\itunes
2005-10-26 18:30 <DIR> C:\Documents and Settings\Noel\Application Data\intervideo
2005-10-24 20:08 <DIR> C:\Program Files\dvd shrink
2005-10-24 20:08 <DIR> C:\Program Files\dvd decrypter
2005-10-19 22:21 <DIR> C:\Documents and Settings\Noel\Application Data\ahead
2005-10-19 22:06 <DIR> C:\Program Files\windows media player
2005-10-19 22:04 <DIR> C:\Program Files\ahead
2005-10-19 22:03 <DIR> C:\Program Files\Common Files\ahead
2005-10-19 19:24 <DIR> C:\Documents and Settings\Noel\Application Data\cyberlink
2005-10-19 19:19 <DIR> C:\Program Files\adobe
2005-10-19 19:19 <DIR> C:\Documents and Settings\Noel\Application Data\intertrust
2005-08-20 17:26 <DIR> C:\Program Files\canon
2005-07-22 20:48 <DIR> C:\Documents and Settings\Noel\Application Data\drag'n drop cd+dvd
2005-07-22 20:13 <DIR> C:\Program Files\Common Files\sony shared
2005-07-22 20:02 <DIR> C:\Program Files\moodlogic
2005-07-22 19:56 <DIR> C:\Program Files\Common Files\adobe
2005-07-22 19:49 <DIR> C:\Program Files\Common Files\installshield
2005-07-22 19:43 <DIR> C:\Program Files\intervideo
2004-05-17 19:36 <DIR> C:\Program Files\outlook express
2004-05-17 19:36 <DIR> C:\Program Files\internet explorer
2004-05-17 19:30 <DIR> C:\Program Files\netmeeting
2004-04-15 02:22 <DIR> C:\Documents and Settings\Noel\Application Data\sony corporation
2004-04-13 13:51 <DIR> C:\Documents and Settings\Noel\Application Data\adobe
2004-04-13 13:43 <DIR> C:\Documents and Settings\Noel\Application Data\symantec
2004-04-13 13:42 <DIR> C:\Documents and Settings\Noel\Application Data\sun
2004-04-13 13:41 <DIR> C:\Program Files\java
2004-04-13 13:41 <DIR> C:\Program Files\Common Files\java
2004-04-13 09:15 <DIR> C:\Program Files\lanexpress
2004-04-13 09:09 <DIR> C:\Program Files\ati technologies
2004-04-12 17:42 <DIR> C:\Program Files\conexant
2004-04-12 17:42 <DIR> C:\Program Files\apoint
2004-04-12 17:39 <DIR> C:\Program Files\Common Files\speechengines
2004-04-12 17:39 <DIR> C:\Program Files\Common Files\odbc
2004-04-12 17:21 <DIR> C:\Program Files\uninstall information
2004-04-12 16:57 <DIR> C:\Program Files\movie maker
2004-04-12 16:50 <DIR> C:\Program Files\xerox
2004-04-12 16:50 <DIR> C:\Documents and Settings\Noel\Application Data\identities
2004-04-12 16:48 <DIR> C:\Program Files\online services
2004-04-12 16:47 <DIR> C:\Program Files\complus applications
2004-04-12 16:47 <DIR> C:\Program Files\Common Files\services
2004-04-12 16:47 <DIR> C:\Program Files\Common Files\mssoap
2004-04-12 16:46 <DIR> C:\Program Files\windowsupdate
2004-04-12 16:46 <DIR> C:\Program Files\msn
2004-04-12 16:45 <DIR> C:\Program Files\windows nt
2004-04-12 16:45 <DIR> C:\Program Files\msn gaming zone
2004-04-12 16:45 <DIR> C:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-16 20:10 468,766,720 C:\hiberfil.sys
2006-07-16 14:42 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-16 14:42 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-16 11:23 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-16 11:23 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-15 17:33 94,208 C:\WINDOWS\system32\W32N50CT.dll
2006-07-15 17:33 17,142 C:\WINDOWS\system32\CBTNDIS5.sys
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"VAIO Update 2"="\"C:\\Program Files\\sony\\vaio update 2\\VAIOUpdt.exe\" /Stationary"
"SonyPowerCfg"="C:\\Program Files\\sony\\vaio power management\\SPMgr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"drsmartloadb"="c:\\\\drsmartloadb.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="\\"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ozow"="C:\\PROGRA~1\\COMMON~1\\ozow\\ozowm.exe"
"Iinl"="\"C:\\Program Files\\sami\\emia.exe\" -vt yazr"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ozow"="C:\\PROGRA~1\\COMMON~1\\ozow\\ozowm.exe"
"Iinl"="\"C:\\Program Files\\sami\\emia.exe\" -vt yazr"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: 16/07/2006 20:30:15.51
ComboFix ver 06.07.16.2 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt

Dr. Web

UPnPFramework.exe;C:\Program Files\Common Files\Sony Shared\vaio media platform;Probably BACKDOOR.Trojan;Incurable.Moved.;
UPnPFramework.exe;C:\Program Files\Common Files\Sony Shared\vaio media platform;Probably BACKDOOR.Trojan;;
A0009382.exe;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Win32.HLLW.MyBot;Deleted.;
A0009383.exe;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Trojan.Click.686;Deleted.;
A0009384.exe;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Trojan.Popuper;Deleted.;
A0009448.dll;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Adware.Dh;Incurable.Moved.;
A0009481.exe;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Trojan.StartPage.1106;Deleted.;
A0009507.dll;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Adware.TargetServer;Incurable.Moved.;
A0009508.exe;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Trojan.DownLoader.6172;Incurable.Moved.;
A0009530.dll;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Adware.Surfside;Incurable.Moved.;
A0009532.exe;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Adware.Surfside;Incurable.Moved.;
A0009533.dll;C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45;Adware.Surfside;Incurable.Moved.;

I hope this helps.

Thanks,
Noel

[sUBs]

Good work. Your pop ups should have stopped.

Please read the rest of this post completely before begining the fix.


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Please download the file attached - regdel.zip
Double-click the file within & allow it to merge with the Registry.
This will remove some malware entries from the Registry


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (make sure you get ALL of them)

• C:\Program Files\yazzle sudoku
  C:\Program Files\sami
  C:\Program Files\Common Files\vcclient
  C:\Program Files\Common Files\ozow

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.


* * * **


Since Panda was unavailable just now, let go with another scanner

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

1. HiJackThis
2. Combofix
3. Online scan

Please provide details of any problems you encountered whilst performing the above steps

[Bob_66]

Hi,

Thanks again for the continuing help.

I did not encounter any problems for the above steps.

Here is the Kaspersky Online scan report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 16, 2006 10:45:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/07/2006
Kaspersky Anti-Virus database records: 207770
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 42869
Number of viruses found: 7
Number of infected objects: 14 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:59:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Noel\Application Data\Mozilla\Firefox\Profiles\default.xyv\history.dat Object is locked skipped
C:\Documents and Settings\Noel\Application Data\Mozilla\Firefox\Profiles\default.xyv\parent.lock Object is locked skipped
C:\Documents and Settings\Noel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Noel\DoctorWeb\Quarantine\A0009448.dll Object is locked skipped
C:\Documents and Settings\Noel\DoctorWeb\Quarantine\A0009530.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\Documents and Settings\Noel\DoctorWeb\Quarantine\A0009532.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\Documents and Settings\Noel\DoctorWeb\Quarantine\A0009533.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\Documents and Settings\Noel\DoctorWeb\Quarantine\A0009534.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\Documents and Settings\Noel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.xyv\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.xyv\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.xyv\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.xyv\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Noel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Noel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Noel\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45\A0009449.exe/226a.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45\A0009449.exe/IEXPLO~1.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45\A0009449.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45\A0009492.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45\A0009492.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{27BF8BC1-B4A6-4A3C-A23D-E9533E23D685}\RP45\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itircl.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\DHU.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\DHU.exe NSIS: infected - 1 skipped
C:\WINDOWS\Internet Logs\EDWARDS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\DH9013.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\system32\DH9013.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT02cc1.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

Here is the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:48:57, on 16/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

And finally, the latest ComboFix log:

Start Time= 16/07/2006 22:49:52.02
Running from: C:\Documents and Settings\Noel\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-16 21:35 <DIR> C:\Program Files\mozilla firefox
2006-07-16 21:29 <DIR> C:\Program Files\common files
2006-07-16 21:25 <DIR> C:\Program Files\spywareblaster
2006-07-16 20:36 <DIR> C:\Documents and Settings\Noel\Application Data\microsoft
2006-07-16 15:08 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-16 14:39 <DIR> C:\Program Files\google
2006-07-16 12:47 <DIR> C:\Program Files\cleanup!
2006-07-16 11:43 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-16 11:42 <DIR> C:\Program Files\xoftspy
2006-07-16 11:31 <DIR> C:\Program Files\ipod
2006-07-16 11:31 <DIR> C:\Program Files\installshield installation information
2006-07-16 11:25 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-16 11:23 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-16 11:23 4,992 C:\WINDOWS\system32\drivers\avgtdi.sys
2006-07-16 11:23 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-16 11:23 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-16 11:23 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-16 11:23 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-16 11:23 <DIR> C:\Program Files\grisoft
2006-07-16 11:23 <DIR> C:\Documents and Settings\Noel\Application Data\avg7
2006-07-16 11:22 <DIR> C:\Program Files\add remove pro
2006-07-15 17:33 <DIR> C:\Program Files\linksys
2006-07-15 17:33 <DIR> C:\Program Files\funk software
2006-07-15 17:33 <DIR> C:\Program Files\Common Files\funk software
2006-07-10 22:11 <DIR> C:\Program Files\msn messenger
2006-07-10 22:11 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-10 21:48 <DIR> C:\Documents and Settings\Noel\Application Data\macromedia
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-02 18:29 <DIR> C:\Documents and Settings\Noel\Application Data\mozilla
2006-06-02 18:28 <DIR> C:\Documents and Settings\Noel\Application Data\talkback
2006-05-13 17:42 <DIR> C:\Documents and Settings\Noel\Application Data\apple computer
2006-05-13 17:35 <DIR> C:\Program Files\divx
2006-05-13 17:11 <DIR> C:\Program Files\crystal player
2006-05-13 17:06 <DIR> C:\Program Files\sony
2006-05-13 16:50 <DIR> C:\Documents and Settings\Noel\Application Data\lavasoft
2006-05-13 16:49 <DIR> C:\Program Files\lavasoft
2006-04-19 21:09 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-04-19 21:09 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-04-19 21:09 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-04-19 21:09 619,156 C:\WINDOWS\system32\divx.dll
2006-04-18 23:31 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-04-18 23:31 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-04-18 23:30 90,112 C:\WINDOWS\system32\dpl100.dll
2006-04-18 23:30 593,920 C:\WINDOWS\system32\dpugui11.dll
2006-04-18 23:30 57,344 C:\WINDOWS\system32\dpv11.dll
2006-04-18 23:30 536,576 C:\WINDOWS\system32\divxsm.exe
2006-04-18 23:30 53,248 C:\WINDOWS\system32\dpugui10.dll
2006-04-18 23:30 344,064 C:\WINDOWS\system32\dpus11.dll
2006-04-18 23:30 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-04-18 23:30 294,912 C:\WINDOWS\system32\dpu11.dll
2006-04-18 23:30 294,912 C:\WINDOWS\system32\dpu10.dll
2006-04-18 23:30 200,704 C:\WINDOWS\system32\dtu100.dll
2006-01-08 15:15 <DIR> C:\Program Files\microsoft visual studio
2006-01-08 15:15 <DIR> C:\Program Files\Common Files\designer
2006-01-08 15:14 <DIR> C:\Program Files\Common Files\system
2006-01-08 15:13 <DIR> C:\Program Files\microsoft office
2006-01-08 15:13 <DIR> C:\Program Files\microsoft frontpage
2006-01-08 15:13 <DIR> C:\Documents and Settings\Noel\Application Data\microsoft web folders
2006-01-08 14:54 <DIR> C:\Program Files\zone labs
2006-01-08 14:36 <DIR> C:\Program Files\microsoft works
2006-01-08 14:33 <DIR> C:\Program Files\boots f2cd
2006-01-07 15:07 <DIR> C:\Program Files\quicktime
2006-01-07 15:06 <DIR> C:\Program Files\itunes
2005-10-26 18:30 <DIR> C:\Documents and Settings\Noel\Application Data\intervideo
2005-10-24 20:08 <DIR> C:\Program Files\dvd shrink
2005-10-24 20:08 <DIR> C:\Program Files\dvd decrypter
2005-10-19 22:21 <DIR> C:\Documents and Settings\Noel\Application Data\ahead
2005-10-19 22:06 <DIR> C:\Program Files\windows media player
2005-10-19 22:04 <DIR> C:\Program Files\ahead
2005-10-19 22:03 <DIR> C:\Program Files\Common Files\ahead
2005-10-19 19:24 <DIR> C:\Documents and Settings\Noel\Application Data\cyberlink
2005-10-19 19:19 <DIR> C:\Program Files\adobe
2005-10-19 19:19 <DIR> C:\Documents and Settings\Noel\Application Data\intertrust
2005-08-20 17:26 <DIR> C:\Program Files\canon
2005-07-22 20:48 <DIR> C:\Documents and Settings\Noel\Application Data\drag'n drop cd+dvd
2005-07-22 20:13 <DIR> C:\Program Files\Common Files\sony shared
2005-07-22 20:02 <DIR> C:\Program Files\moodlogic
2005-07-22 19:56 <DIR> C:\Program Files\Common Files\adobe
2005-07-22 19:49 <DIR> C:\Program Files\Common Files\installshield
2005-07-22 19:43 <DIR> C:\Program Files\intervideo
2004-05-17 19:36 <DIR> C:\Program Files\outlook express
2004-05-17 19:36 <DIR> C:\Program Files\internet explorer
2004-05-17 19:30 <DIR> C:\Program Files\netmeeting
2004-04-15 02:22 <DIR> C:\Documents and Settings\Noel\Application Data\sony corporation
2004-04-13 13:51 <DIR> C:\Documents and Settings\Noel\Application Data\adobe
2004-04-13 13:43 <DIR> C:\Documents and Settings\Noel\Application Data\symantec
2004-04-13 13:42 <DIR> C:\Documents and Settings\Noel\Application Data\sun
2004-04-13 13:41 <DIR> C:\Program Files\java
2004-04-13 13:41 <DIR> C:\Program Files\Common Files\java
2004-04-13 09:15 <DIR> C:\Program Files\lanexpress
2004-04-13 09:09 <DIR> C:\Program Files\ati technologies
2004-04-12 17:42 <DIR> C:\Program Files\conexant
2004-04-12 17:42 <DIR> C:\Program Files\apoint
2004-04-12 17:39 <DIR> C:\Program Files\Common Files\speechengines
2004-04-12 17:39 <DIR> C:\Program Files\Common Files\odbc
2004-04-12 17:21 <DIR> C:\Program Files\uninstall information
2004-04-12 16:57 <DIR> C:\Program Files\movie maker
2004-04-12 16:50 <DIR> C:\Program Files\xerox
2004-04-12 16:50 <DIR> C:\Documents and Settings\Noel\Application Data\identities
2004-04-12 16:48 <DIR> C:\Program Files\online services
2004-04-12 16:47 <DIR> C:\Program Files\complus applications
2004-04-12 16:47 <DIR> C:\Program Files\Common Files\services
2004-04-12 16:47 <DIR> C:\Program Files\Common Files\mssoap
2004-04-12 16:46 <DIR> C:\Program Files\windowsupdate
2004-04-12 16:46 <DIR> C:\Program Files\msn
2004-04-12 16:45 <DIR> C:\Program Files\windows nt
2004-04-12 16:45 <DIR> C:\Program Files\msn gaming zone
2004-04-12 16:45 <DIR> C:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-16 21:27 21,312 C:\WINDOWS\choice.exe
2006-07-16 20:10 468,766,720 C:\hiberfil.sys
2006-07-16 14:42 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-16 14:42 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-16 11:23 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-16 11:23 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-15 17:33 94,208 C:\WINDOWS\system32\W32N50CT.dll
2006-07-15 17:33 17,142 C:\WINDOWS\system32\CBTNDIS5.sys
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"VAIO Update 2"="\"C:\\Program Files\\sony\\vaio update 2\\VAIOUpdt.exe\" /Stationary"
"SonyPowerCfg"="C:\\Program Files\\sony\\vaio power management\\SPMgr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="\\"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: 16/07/2006 22:50:08.21
ComboFix ver 06.07.16.2 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Thanks again,
Noel

[sUBs]

Please do this while I review your log.

I require you to update your copy of Sun's java. Older versions of Java have been identified as entry points for malware.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
3. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
4. Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
5. If you are unable to update you can manually update by going here:
   
   http://www.java.com/en/download/manual.jsp
   
   
6. After the reboot, go back into the Control Panel and double-click the Java Icon.
7. Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
8. Under Temporary Internet Files, click the Delete Files button.
9. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • Downloaded Applets
     Downloaded Applications
     Other Files
10. Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
11. Click OK to leave the Java Control Panel.

[sUBs]

There's a program on your machine which I don't quite approve of - C:\Program Files\xoftspy.
Please take a look at this webpage. For that, I will categorise it as rogueware. By rogueware, it means that this product is of unknown, questionable, or dubious value as anti-spyware protection. Please consider removing it.


While you're at it, delete these files/folders

C:\Documents and Settings\Noel\DoctorWeb\
C:\WINDOWS\DHU.exe
C:\WINDOWS\system32\DH9013.exe
C:\WINDOWS\system32\i


When that's done, your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[Bob_66]

Hi,

THANK YOU SO MUCH FOR YOUR TIME AND EFFORT!

You guys are amazing!!

Noel