Help: C:\Windows\Avguard.exe

[Alvine]

About a week ago my machine was infected with something that I believe is some form of a virus/trojan.

I noticed that Avguard.exe was newly found in my Task Manager's process list. Upon further investigation I found it installed in the Windows directory of my boot drive. Fyi, I have not installed AntiVir's software on my machine.

It seems to be similar to the issue recently resolved here:
http://www.techsupportforum.com/secu...ml#post1790101

It does not respond to the netsky worm removal instructions (circa 2004).

I can terminate the process and delete the offending file, but it has some form of redundancy that allows it to reinstall & restart itself.

Further, I recently discovered that my World of Warcraft account was hijacked, and I presume that event was related to this apparent virus/trojan.

I have since installed Avast! anti-virus software, and run its' system scans, but it has failed to remove the infection - it quarantines the file, but the file simply reinstalls itself post-quarantine.

The scan from VirusTotal can be found here:
http://www.virustotal.com/analisis/c...e3cc7fbf20af9a

Any help in resolving this problem would be greatly appreciated.

Thanks.


Here's my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:48 PM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\avguard.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\mpcodecplg.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195349159937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195346341453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Procedure Call (HPM) (RPCH) - Unknown owner - C:\Program Files\NetMeeting\nmwb.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 10445 bytes

[Alvine]

I apologize for the bump, but I forgot to include the DDS log and necessary attachments.

Here's the DDS log:

DDS (Version 1.0) - NTFSx86
Run by Admin at 19:49:46.32 on Mon 11/17/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.907 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
"C:\WINDOWS\system32\svchost.exe" 40706
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\avguard.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - c:\windows\mpcodecplg.dll
TB: {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [sHotKey] "c:\program files\sony\shotkey\sHotKey.exe"
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\CalibAdobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

============= SERVICES / DRIVERS ===============

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
R2 CSIScanner;CSIScanner;"c:\program files\prevxcsi\prevxcsi.exe" /service
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe
R2 wowsystemcode;Remote TCP/IP;c:\windows\system32\svchost.exe -k netsvcs
S2 RPCH;Remote Procedure Call (HPM);c:\program files\netmeeting\nmwb.exe
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\netmeeting\Winlog.exe
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM

=============== Created Last 30 ================

2008-11-17 19:41 250 a------- c:\windows\gmer.ini
2008-11-17 17:41 <DIR> --d----- c:\program files\Trend Micro
2008-11-16 23:09 100,864 a------- c:\windows\avguard.exe
2008-11-16 22:20 26,680 a------- c:\windows\system32\drivers\pxark.sys
2008-11-16 22:20 <DIR> --d----- c:\program files\PrevxCSI
2008-11-16 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-11-16 18:24 1,060,864 a------- c:\windows\system32\MFC71.dll
2008-11-16 18:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-11-16 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-16 16:14 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-16 15:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-12 20:19 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 20:19 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-10 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-06 22:58 34 a------- c:\windows\1.ini
2008-11-06 22:50 237,568 a------- c:\windows\system32\wowformf344_716.dll
2008-11-06 22:50 20 a------- c:\windows\syscheck
2008-10-23 20:15 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll

==================== Find3M ====================

2008-11-16 23:08 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 18:35 <DIR> --d----- c:\program files\Sony
2008-10-15 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2008-10-05 22:51 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-05 22:33 <DIR> --d----- c:\docume~1\admin\applic~1\Sony Corporation
2008-10-05 22:29 <DIR> --d----- c:\docume~1\admin\applic~1\Drag'n Drop CD+DVD
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 19:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 11:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-26 01:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-04 23:51 <DIR> --d----- c:\docume~1\admin\applic~1\SoundSpectrum
2008-02-18 16:51 <DIR> --d----- c:\docume~1\admin\applic~1\Move Networks
2007-12-17 19:32 <DIR> --d----- c:\docume~1\admin\applic~1\SystemRequirementsLab
2007-12-10 01:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{E0FD8DB4-0B1B-427B-B11A-E920A60A344E}
2007-12-10 01:11 <DIR> --d----- c:\docume~1\admin\applic~1\Seven Zip
2007-11-22 00:54 <DIR> --d----- c:\docume~1\admin\applic~1\Intuit
2007-11-22 00:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2007-11-18 02:32 <DIR> --d----- c:\docume~1\admin\applic~1\Netscape
2007-11-17 19:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Corporation
2007-11-17 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VAIO Media Platform
2004-04-01 16:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2004-04-01 15:58 <DIR> --d----- c:\docume~1\admin\applic~1\Symantec
2008-06-30 18:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008063020080701\index.dat

============= FINISH: 19:50:09.37 ===============

[tetonbob]

Hello -

As you already noted, the infection steals information, particularly for online game accounts. If you've not already changed passwords from a different computer, please do so.

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

As stated in our pre-posting sticky topic...

http://www.techsupportforum.com/secu...oval-help.html

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.


I see you have more than one Anti-Virus program installed, Avast and Norton. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

If you choose to uninstall Norton

Please use the instructions on this page to completely uninstall your Norton Products.

-----------------------------------------------------------------------

Once you've done that, please run DDS once again, and also run the secondary scan. Post DDS.txt and attach Attach.txt

We'll work on the malware removal after that.

[Alvine]

Thanks for the assistance.

Removed Norton's using the executable from the link you supplied.

[Fyi: Avast! was active during this process and constantly (every 5-30 seconds) prompted me to quarantine the avguard.exe
trojan upon each time it restarted. If you need a scan with the avast! protections disabled, please so advise.]

Here's a fresh DDS scan:

DDS (Version 1.0) - NTFSx86
Run by Admin at 18:53:55.32 on Wed 11/19/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1079 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
"C:\WINDOWS\system32\svchost.exe" 40706
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - c:\windows\mpcodecplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [sHotKey] "c:\program files\sony\shotkey\sHotKey.exe"
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\CalibAdobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe
R2 wowsystemcode;Remote TCP/IP;c:\windows\system32\svchost.exe -k netsvcs
S2 RPCH;Remote Procedure Call (HPM);c:\program files\netmeeting\nmwb.exe
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\netmeeting\Winlog.exe
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM

=============== Created Last 30 ================

2008-11-17 19:41 250 a------- c:\windows\gmer.ini
2008-11-17 17:41 <DIR> --d----- c:\program files\Trend Micro
2008-11-16 23:09 100,864 a------- c:\windows\avguard.exe
2008-11-16 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-11-16 18:24 1,060,864 a------- c:\windows\system32\MFC71.dll
2008-11-16 18:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-11-16 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-16 16:14 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-16 15:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-12 20:19 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 20:19 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-10 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-06 22:58 34 a------- c:\windows\1.ini
2008-11-06 22:50 237,568 a------- c:\windows\system32\wowformf344_716.dll
2008-11-06 22:50 20 a------- c:\windows\syscheck
2008-10-23 20:15 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll

==================== Find3M ====================

2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 18:35 <DIR> --d----- c:\program files\Sony
2008-10-05 22:51 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-05 22:33 <DIR> --d----- c:\docume~1\admin\applic~1\Sony Corporation
2008-10-05 22:29 <DIR> --d----- c:\docume~1\admin\applic~1\Drag'n Drop CD+DVD
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 19:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 11:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-26 01:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-04 23:51 <DIR> --d----- c:\docume~1\admin\applic~1\SoundSpectrum
2008-02-18 16:51 <DIR> --d----- c:\docume~1\admin\applic~1\Move Networks
2007-12-17 19:32 <DIR> --d----- c:\docume~1\admin\applic~1\SystemRequirementsLab
2007-12-10 01:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{E0FD8DB4-0B1B-427B-B11A-E920A60A344E}
2007-12-10 01:11 <DIR> --d----- c:\docume~1\admin\applic~1\Seven Zip
2007-11-22 00:54 <DIR> --d----- c:\docume~1\admin\applic~1\Intuit
2007-11-22 00:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2007-11-18 02:32 <DIR> --d----- c:\docume~1\admin\applic~1\Netscape
2007-11-17 19:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Corporation
2007-11-17 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VAIO Media Platform
2008-06-30 18:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008063020080701\index.dat

============= FINISH: 18:54:22.81 ===============

[tetonbob]

Thanks for the info, these logs will suffice. This may take more than one round to properly eradicate.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[Alvine]

ComboFix Log:

ComboFix 08-11-18.A2 - Admin 2008-11-19 19:36:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1056 [GMT -6:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-17 19:41 . 2008-11-19 18:55 250 --a------ c:\windows\gmer.ini
2008-11-17 17:41 . 2008-11-17 17:41 <DIR> d-------- c:\program files\Trend Micro
2008-11-16 23:09 . 2008-11-19 19:33 100,864 --a------ c:\windows\avguard.exe
2008-11-16 22:20 . 2008-11-19 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-16 18:24 . 2008-11-16 18:24 <DIR> d-------- c:\program files\Alwil Software
2008-11-16 18:24 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-16 18:09 . 2008-11-16 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:59 . 2008-11-16 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 16:14 . 2008-11-16 16:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-16 15:55 . 2008-11-16 15:55 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-12 20:19 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:19 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 20:13 . 2008-11-10 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-06 22:58 . 2008-11-16 15:25 34 --a------ c:\windows\1.ini
2008-11-06 22:50 . 2008-11-06 22:50 237,568 --a------ c:\windows\system32\wowformf344_716.dll
2008-11-06 22:50 . 2008-11-06 22:50 20 --a------ c:\windows\syscheck
2008-10-23 20:15 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 23:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 22:42 --------- d-----w c:\program files\Java
2008-11-07 04:52 4,224 ----a-w c:\windows\system32\drivers\beep.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 00:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 00:35 --------- d-----w c:\program files\Sony
2008-10-06 04:51 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-06 04:33 --------- d-----w c:\documents and settings\Admin\Application Data\Sony Corporation
2008-10-06 04:29 --------- d-----w c:\documents and settings\Admin\Application Data\Drag'n Drop CD+DVD
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-07-01 00:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008063020080701\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-16 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-16 20560]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2007-11-17 86098]
R2 wowsystemcode;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [2004-03-31 14336]
S2 RPCH;Remote Procedure Call (HPM);c:\program files\NetMeeting\nmwb.exe []
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\2w3so2pw.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:37:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-19 19:38:09
ComboFix-quarantined-files.txt 2008-11-20 01:37:54

Pre-Run: 128,479,105,024 bytes free
Post-Run: 128,884,514,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

144 --- E O F --- 2008-11-13 09:02:06

[tetonbob]

Next.....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/314074-help-c-windows-avguard-exe.html#post1812860
   
   Driver::
   wowsystemcode
   
   NetSvc::
   wowsystemcode
   
   Collect::
   c:\windows\avguard.exe
   c:\windows\1.ini
   c:\windows\system32\wowformf344_716.dll
   c:\windows\syscheck
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------

[Alvine]

Looks clean. No avast! warnings. No trace of avguard.exe among my process tree....



ComboFix 08-11-18.A2 - Admin 2008-11-19 20:53:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1030 [GMT -6:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\1.ini
c:\windows\avguard.exe
c:\windows\syscheck
c:\windows\system32\wowformf344_716.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WOWSYSTEMCODE
-------\Service_wowsystemcode


((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-17 19:41 . 2008-11-19 18:55 250 --a------ c:\windows\gmer.ini
2008-11-17 17:41 . 2008-11-17 17:41 <DIR> d-------- c:\program files\Trend Micro
2008-11-16 22:20 . 2008-11-19 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-16 18:24 . 2008-11-16 18:24 <DIR> d-------- c:\program files\Alwil Software
2008-11-16 18:24 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-16 18:09 . 2008-11-16 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:59 . 2008-11-16 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 16:14 . 2008-11-16 16:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-16 15:55 . 2008-11-16 15:55 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-12 20:19 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:19 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 20:13 . 2008-11-10 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-23 20:15 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 23:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 22:42 --------- d-----w c:\program files\Java
2008-11-07 04:52 4,224 ----a-w c:\windows\system32\drivers\beep.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 00:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 00:35 --------- d-----w c:\program files\Sony
2008-10-06 04:33 --------- d-----w c:\documents and settings\Admin\Application Data\Sony Corporation
2008-10-06 04:29 --------- d-----w c:\documents and settings\Admin\Application Data\Drag'n Drop CD+DVD
2008-07-01 00:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008063020080701\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-19_19.37.34.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-11-20 02:56:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_54c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-16 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-16 20560]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2007-11-17 86098]
S2 RPCH;Remote Procedure Call (HPM);c:\program files\NetMeeting\nmwb.exe []
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 20:56:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\eHome\ehsched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\eHome\ehrec.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\windows\system32\rundll32.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-19 20:59:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 02:59:10

Pre-Run: 128,867,176,448 bytes free
Post-Run: 128,790,269,952 bytes free

132 --- E O F --- 2008-11-13 09:02:06

[tetonbob]

Hi -

I don't see that a file was uploaded to our analysis site via ComboFix as expected.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

[Alvine]

2004-04-01 14:31:07 A------- 111,552 C:\Qoobox\Quarantine\C\WINDOWS\setup.exe.vir
2008-11-06 22:50:13 A------- 20 C:\Qoobox\Quarantine\C\WINDOWS\syscheck.vir
2008-11-06 22:50:13 A------- 237,568 C:\Qoobox\Quarantine\C\WINDOWS\system32\wowformf344_716.dll.vir
2008-11-06 22:58:39 A------- 34 C:\Qoobox\Quarantine\C\WINDOWS\1.ini.vir
2008-11-16 23:09:23 A------- 100,864 C:\Qoobox\Quarantine\C\WINDOWS\avguard.exe.vir
2008-11-19 19:34:36 A------- 714 C:\Qoobox\Quarantine\catchme.log
2008-11-19 19:36:51 A------- 6,947 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-19 19:37:35 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-19 19:37:35 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-19 19:37:35 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-19 20:53:50 A------- 230,316 C:\Qoobox\Quarantine\[4]-Submit_2008-11-19@20.53.zip
2008-11-19 20:54:35 A------- 1,098 C:\Qoobox\Quarantine\Registry_backups\Legacy_WOWSYSTEMCODE.reg.dat
2008-11-19 20:54:35 A------- 3,490 C:\Qoobox\Quarantine\Registry_backups\Service_wowsystemcode.reg.dat
2008-11-19 20:54:44 A------- 287,051 C:\Qoobox\Quarantine\C\WINDOWS\_avguard_.exe.zip

[tetonbob]

Thanks.

• Please visit this site:
  
  
  http://www.bleepingcomputer.com/subm....php?channel=4
  
  
• In the Link to topic where this file was requested: area, copy and paste this
  
  
  http://www.techsupportforum.com/security-center/hijackthis-log-help/314074-help-c-windows-avguard-exe.html#post1812958
  
  
• In the Browse to the file you want to submit: area, copy and paste this
  
  
  C:\Qoobox\Quarantine\[4]-Submit_2008-11-19@20.53.zip
  
  
• Then click Send File.
  
• Once it shows:
  

  Quote:

  Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

• Close the site and let me know.

[Alvine]

File uploaded.

[tetonbob]

Thanks. One of the files doesn't seem to be in that package.

If you would, please perform the same steps for these files:

C:\Qoobox\Quarantine\C\WINDOWS\_avguard_.exe.zip

C:\Qoobox\Quarantine\C\WINDOWS\avguard.exe.vir

[Alvine]

Uploaded both additional files.

[tetonbob]

Thanks again.

Please run this online scan to help look for remnants. One vendor's definitions may find what another's does not.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[Alvine]

This appears clean too - at least of the avguard.exe issue.

Not sure what to make of the Spybot file indicated on the Eset scan log.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3626 (20081119)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=9654f0c29ebabb49a63909c5dc1465d0
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-20 04:39:17
# local_time=2008-11-19 10:39:17 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=306804
# found=1
# scan_time=3039
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb3.zip Win32/Bagle.gen.zip worm 76A9EE02C6D50629609BE99BCDDA43F4

[tetonbob]

Items in Spybot quarantine can be manually removed.


When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files.

1. Open Spybot.
If you have a shortcut on your desktop, double click it.
or
Click Start, then All Programs, then Spybot - Search & Destroy and then Spybot - Search & Destroy.
2. On the left side, click "Recovery".
3. Select (place a check) beside ALL the backup files that contain quarantined items.
4. Click on the Purge Selected Items button.
5. A dialog will appear, stating that the backup will be removed. Click Yes.
6. When the Recovery window is empty, Exit Spybot.

Note:

If you no longer have Spybot S&D installed, which appears it may be the case, simply delete this folder:


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

Other than that, your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Alvine]

Thanks again for all of your assistance.

My problem appears to be fully resolved.

[tetonbob]

You're welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.