All Sorts Of Problems :(

psyk0tic · October 26, 2006

im trying to help my girlfriend fix her laptop right now, it started out, she couldn't log into SSL secured pages/windows/programs. the login boxes would come up as a page cannot be displayed window or window portion. first checked all browser settings, tried a different browser, and nothing. noticed she was slacking on her windows updates, so i ran spybot and adaware then installed windows updates, but the problem still wasnt fixed. booted into safe mode and all works fine. she needs her laptop for school/work, so she currently has it. i'd greatly appreciate any help with this problem, i have visited several support forums already, and i'm either waiting in line, or had some problem with registration, hopefully this one will provide the solution! here is the latest HJT log that I saved from her computer:

Logfile of HijackThis v1.99.1

Scan saved at 9:05:42 PM, on 10/20/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Kati Byers\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aim.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/SRCVOTPD...300956/pop.html

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

O4 - HKLM\..\Run: [TVTunerLib] C:\Program Files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe

O4 - HKLM\..\Run: [iSBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129076522\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfeeVirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.15\PlaxoHelper.exe -a

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk572YYUS

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...876/mcfscan.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\McAfeeVirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfeeVirusScan\VsTskMgr.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe

O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe

O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)

O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)

O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

baker7 · October 26, 2006

noticed she was slacking on her windows updates, so i ran spybot and adaware then installed windows updates, but the problem still wasnt fixed

Just an FYI - and I rarely post in reply to HJT logs. You should always wait until a HJT expert tells you that you are CLEAN before you install any Windows Updates. If you do this on a system that has problems/infections dealing with malware or spyware, you could possibly make finding and fixing the problem harder for the HJT Experts.....

Brian

therock247uk · October 27, 2006

I see you have Norton installed was the SSL problems on the laptop before you installed it?

psyk0tic · October 27, 2006

I see you have Norton installed was the SSL problems on the laptop before you installed it?

i believe so, nothing was added after all of the problems except for HJT, avg, spybot, and ad-aware. she has no idea when or why the problem started, one of the virus scans picks up a win32: agent - BVS trojan, im not sure if that is the source of the problem, but it was found to contaminate some .exe files, and every time i clean/quarantine one, it shows up in another when i scan again... hope it helps a bit.

thanks again.

therock247uk · October 27, 2006

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

psyk0tic · October 27, 2006

is it alright to be going through all of these processes while in safe mode? as of now it seems to be the only way possible to get anything done, as trying to open any files/programs/websites in regular mode takes quite a long time.

psyk0tic · October 27, 2006

here are the results of the panda activescan report:

Incident Status Location

Virus:Trj/Lowzones.SU Disinfected Operating system

thanks again.

therock247uk · October 28, 2006

First download AVG Anti-Spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

psyk0tic · October 28, 2006

done, found 96 instances of one virus, and 1 of another, here is the AVG log:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 10:21:53 PM 10/27/2006

+ Scan result:

C:\Program Files\Apoint\Apoint.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0398NAV~.TMP -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\Program Files\Sony\ISB Utility\ISBMgr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\Program Files\SymNetDrv\SNDMon.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\Program Files\verizon\Servicepoint\VerizonServicepoint.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023689.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023690.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023691.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023692.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023693.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023694.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023695.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023696.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023697.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023698.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023699.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023700.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023701.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023702.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023703.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023704.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023705.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023706.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023707.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023708.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023709.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023710.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023711.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP144\A0023712.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP145\A0023723.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026034.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026035.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026036.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026037.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026038.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026039.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026040.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026041.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026042.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026043.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026044.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026045.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026046.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026047.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026048.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026049.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026050.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026051.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026052.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026053.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026054.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026055.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP166\A0026056.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026401.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026402.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026403.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026404.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026405.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026406.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026407.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026408.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026409.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026410.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026411.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026412.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026413.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026414.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026415.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026416.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026417.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026418.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026419.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026420.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026421.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026422.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026423.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0026424.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033068.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033069.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033070.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033071.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033083.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033084.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033085.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033086.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033087.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0036105.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0036107.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0036108.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0036109.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0036110.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0036115.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP168\A0037318.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP168\A0037319.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP167\A0033072.ocx -> Downloader.IstBar : Cleaned with backup (quarantined).

::Report end

thank you again.

edit: in addition, upon restarting her computer and booting into normal mode, her wallpaper loads up, but no desktop icons appear, and nothing seems to work.

Edited October 28, 2006 by psyk0tic

therock247uk · October 28, 2006

Does safemode work?

psyk0tic · October 28, 2006

yes, safemode is still working, i ran AVG again after restarting again in safemode, and another 6 instances of the trojan came up in the restore files...restarted again, scanned again, and it came up clean, booted into normal mode again, and the desktop came up, but the original problem is still there, and it runs extremely slow...

therock247uk · October 28, 2006

Download http://noahdfear.geekstogo.com/FindAWF.exe Save to desktop and run and post me the log it makes.

psyk0tic · October 28, 2006

Here is the log as per requested:

21504 byte files found

~~~~~~~~~~~~~

21504 byte files sorted with strings

~~~~~~~~~~~~~~~~~~~~~

25600 byte files found

~~~~~~~~~~~~~

25600 C:\DOCUME~1\KATIBY~1\DESKTOP\EDUCAT~1\SOCIAL~1\AFRICA~1.WPS

25600 byte files sorted with strings

~~~~~~~~~~~~~~~~~~~~~

26450 byte files found

~~~~~~~~~~~~~

26450 byte files sorted with strings

~~~~~~~~~~~~~~~~~~~~~

bak folders found

~~~~~~~~~~~

Directory of C:\PROGRA~1\APOINT\BAK

11/07/2003 08:21 PM 114,688 Apoint.exe

1 File(s) 114,688 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/11/2005 08:24 PM 98,304 qttask.exe

1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

10/17/2005 09:11 PM 100,056 SNDMon.exe

1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/29/2005 05:33 PM 77,824 hkcmd.exe

06/29/2005 05:33 PM 114,688 igfxpers.exe

06/29/2005 05:33 PM 94,208 igfxtray.exe

3 File(s) 286,720 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

10/05/2005 06:06 PM 48,752 ccApp.exe

1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

08/15/2006 08:42 PM 3,661,824 googletalk.exe

1 File(s) 3,661,824 bytes

Directory of C:\PROGRA~1\PLAXO\262~1.15\BAK

04/12/2006 12:40 PM 182,860 PlaxoHelper.exe

1 File(s) 182,860 bytes

Directory of C:\PROGRA~1\REALTEK\INSTAL~1\BAK

04/29/2005 05:56 PM 45,056 AzMixerSel.exe

1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 01:00 PM 49,152 OpwareSE2.exe

1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SONY\ISBUTI~1\BAK

02/20/2004 05:12 PM 32,768 ISBMgr.exe

1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\SONY\VAIOPO~1\BAK

05/15/2005 08:51 AM 184,320 SPMgr.exe

1 File(s) 184,320 bytes

Directory of C:\PROGRA~1\SONY\VAIOZO~1\BAK

01/31/2005 01:10 PM 192,512 AvRmtCtr.exe

1 File(s) 192,512 bytes

Directory of C:\PROGRA~1\VERIZON\SERVIC~1\BAK

02/01/2006 07:33 PM 1,880,064 VerizonServicepoint.exe

1 File(s) 1,880,064 bytes

Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\BAK

05/23/2005 02:20 PM 50,744 VERIZO~1.EXE

1 File(s) 50,744 bytes

Directory of C:\WINDOWS\SONYSYS\VAIORE~1\BAK

04/20/2003 12:08 AM 28,672 PartSeal.exe

1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 12:59 PM 124,520 IPHSend.exe

1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/09/2004 09:03 AM 81,920 issch.exe

08/09/2004 09:03 AM 221,184 isuspm.exe

2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\COMMON~1\SONYSH~1\TVTUNE~1\BAK

02/16/2005 09:41 PM 245,760 TVTLInstTool.exe

1 File(s) 245,760 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

06/03/2005 06:52 AM 36,975 jusched.exe

1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\112907~1\EE\BAK

04/20/2006 01:10 PM 50,792 AOLSoftware.exe

1 File(s) 50,792 bytes

Directory of C:\PROGRA~1\WALGRE~1\WALGRE~1\DATA\XTRAS\BAK

05/19/2005 05:59 PM 176,128 mssysmgr.exe

1 File(s) 176,128 bytes

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

114688 Nov 7 2003 "C:\Program Files\Apoint\bak\Apoint.exe"

114688 Nov 7 2003 "C:\WINDOWS\Drivers\TOUCHPAD\Apoint.exe"

98304 Oct 11 2005 "C:\Program Files\QuickTime\bak\qttask.exe"

100056 Oct 17 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"

77824 Jun 29 2005 "C:\WINDOWS\Drivers\INTEL 915G GRAPHICS\hkcmd.exe"

77824 Jun 29 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"

114688 Jun 29 2005 "C:\WINDOWS\Drivers\INTEL 915G GRAPHICS\igfxpers.exe"

114688 Jun 29 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"

94208 Jun 29 2005 "C:\WINDOWS\Drivers\INTEL 915G GRAPHICS\igfxtray.exe"

94208 Jun 29 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"

48752 Oct 5 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

32768 Feb 20 2004 "C:\Program Files\Sony\ISB Utility\bak\ISBMgr.exe"

184320 May 15 2005 "C:\Program Files\Sony\VAIO Power Management\bak\SPMgr.exe"

192512 Jan 31 2005 "C:\Program Files\Sony\VAIO Zone Remote Commander\bak\AvRmtCtr.exe"

1880064 Feb 1 2006 "C:\Program Files\verizon\Servicepoint\bak\VerizonServicepoint.exe"

50744 May 23 2005 "C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE"

122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\VerizonSetPanFolder.exe"

28672 Apr 20 2003 "C:\WINDOWS\SONYSYS\VAIO Recovery\bak\PartSeal.exe"

124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"

81920 Aug 9 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

221184 Aug 9 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"

36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"

36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"

176128 May 19 2005 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\bak\mssysmgr.exe"

end of report

therock247uk · October 28, 2006

Ok you have a infection which replaced legit files with a copy of its own as you see in Ewido..

C:\Program Files\Apoint\Apoint.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0398NAV~.TMP -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Sony\ISB Utility\ISBMgr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\SymNetDrv\SNDMon.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\verizon\Servicepoint\VerizonServicepoint.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).

In C:\WINDOWS\SYSTEM32\BAK are backups it made of the legit file you need to copy them back over to the real folders from above.

Let me know if you have any problems then we need to clear out your system restore points as they are infected to...

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

After doing all that do...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

psyk0tic · October 28, 2006

in C:\WINDOWS\System32\bak are 3 files:

hkcmd.exe, igfxpers.exe, and igfxtray.exe

i do not see any backup files in this folder

Edit: ahhh sorry, thought you meant backups of the files you posted in the quote. i think i got it now...

Edited October 28, 2006 by psyk0tic

therock247uk · October 28, 2006

hkcmd.exe, igfxpers.exe, and igfxtray.exe

Them files need to be moved back to c:\windows\system32 to.

There should be folders in C:\WINDOWS\SYSTEM32\BAK to.

psyk0tic · October 28, 2006

here are the results of the Kaspersky scan:

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Saturday, October 28, 2006 6:15:40 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 28/10/2006

Kaspersky Anti-Virus database records: 235957

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

C:\

E:\

Scan Statistics:

Total number of scanned objects: 50434

Number of viruses found: 2

Number of infected objects: 3 / 0

Number of suspicious objects: 0

Duration of the scan process: 00:33:16

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Kati Byers\.housecall6.6\Quarantine\A0024332.dll.bac_a01640 Infected: not-a-virus:AdWare.Win32.Comet.c skipped

C:\Documents and Settings\Kati Byers\.housecall6.6\Quarantine\A0026908.dll.bac_a01640 Infected: not-a-virus:AdWare.Win32.Comet.c skipped

C:\Documents and Settings\Kati Byers\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Kati Byers\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Kati Byers\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Kati Byers\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kati Byers\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Kati Byers\ntuser.dat Object is locked skipped

C:\Documents and Settings\Kati Byers\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5BFE212F.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ac skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP1\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.

all bak files were moved back to their folders. thank you again

therock247uk · October 28, 2006

Post a new Hijackthis log here in a reply and let me know how things are running.

psyk0tic · October 28, 2006

Here is the new HiJackthis log. going to try to boot into normal mode again, will post with an update.

Logfile of HijackThis v1.99.1

Scan saved at 6:41:13 PM, on 10/28/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\HJT\HijackThis.exe