Spyware Removal <ab>

Rick210468 · May 11, 2005

Hi all,

I have recently experienced spyware intalling itself on my machine. Quite frankly I need help. I have downloaded spybot search and destroy, paid for adaware se pro and spyware eliminator (something like Â£80 in all) all of which have not been able remove anything from my laptop.

My symptoms are:

1 Sites automatically added to my favourites.

2 My browser resetting itself to : about:blank

After scanning my laptop with the relevant spyware software the results are:

Cooolwwwsearch.aff.winshow

URLSearchHook.Atlpz

Startpage-EH

I have printed off and read through the the case that was resolved for cultchie_girl

but am not too sure if I am doing the right trhing firstly and secondly am slightly worried about deletingthings from the registry that could eally damage my system.

I have conducted a hijackthis scan and the results are:

Logfile of HijackThis v1.99.1

Scan saved at 21:23:40, on 10/05/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALURIA~1\asKernel.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\TightVNC\WinVNC.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\system32\ICO.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Program Files\sony\vaio power management\SPMgr.exe

C:\Program Files\sony\vaio update 2\VAIOUpdt.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\WINDOWS\Logi_MwX.Exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\appvy.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

C:\Program Files\Maximizer\Mxalarm.exe

C:\Program Files\Maximizer\Mxfinder.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\sony\BlueSpace\BlueSpaceNE.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

C:\Documents and Settings\Roderick Thorn\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {B784881A-C236-6F52-D86B-285DC0FC4011} - C:\WINDOWS\syskb32.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe

O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

O4 - HKLM\..\Run: [switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [appvy.exe] C:\WINDOWS\system32\appvy.exe

O4 - HKLM\..\RunOnce: [ipju32.exe] C:\WINDOWS\system32\ipju32.exe

O4 - Startup: BlueSpace NE.lnk = C:\Program Files\sony\BlueSpace\BlueSpaceNE.exe

O4 - Startup: Mortgage Brain Scheduler.LNK = C:\MBL\scheduler\MBScheduler.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\Mxalarm.exe

O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\Mxfinder.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O15 - Trusted Zone: *.sony-europe.com

O15 - Trusted Zone: *.sonystyle-europe.com

O15 - Trusted Zone: *.vaio-link.com

O15 - Trusted IP range: http://192.168.0.1

O15 - Trusted IP range: http://81.77.11.109

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCA264C7-B389-495F-82BF-939BF9C043C6}: NameServer = 195.92.195.94,195.92.195.95

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Workstation NetLogon Service ( 11FÃŸÃ¤#Â·ÂºÃ„Ã–`I) - Unknown owner - C:\WINDOWS\system32\ntsg32.exe (file missing)

O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe

O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~1\asKernel.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe

O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\sony\VAIO Media Integrated Server\VMISrv.exe

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)

O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)

O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

I really do not know what the hell I am doing and need step by step guidance in plane english as to how to get rid of this stuff off my laptop. I have to say I did not know that services / forums like this existed. I am really impressed. Thank you in advance.

Regards

Rick

alsocom · May 12, 2005

Hello Rick and welcome to BestTechie.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Prepare CWShredder for use:
- Download CWShredder.
- Save CWShredder.exe to a convenient location.
- Please do not do anything with it yet.

[*]Prepare AboutBuster for use:

Download AboutBuster.
Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update".
You should not run the program yet so click "Exit".

[*]Prepare cwsserviceremove.reg for use:

Download cwsserviceremove.zip.
Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
Delete the cwsserviceremove.zip folder.
Please do not do anything with it yet.

[*]Reconfigure Windows XP to show hidden files:

Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

[*]Disable the offending service.

Go to Start->Run and type Services.msc then hit Ok
Scroll down and find the service called : Workstation NetLogon Service
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donÂ´t find this service listed go ahead with the next steps.

Boot into Safe Mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard.

If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

To return to normal mode just restart your computer as you normally would.

Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".

[*]Remove the offending service:

Double-click on cwsserviceremove.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

[*]Run AboutBuster and save the logs:

Browse to where you saved AboutBuster and run AboutBuster.exe.
Click OK at the directions prompt.
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I need a copy of it.

[*]Fix with Hijackthis:

Open Hijackthis, Run a scan and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lhuvy.dll/sp.html#83556
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B784881A-C236-6F52-D86B-285DC0FC4011} - C:\WINDOWS\syskb32.dll
O4 - HKLM\..\Run: [appvy.exe] C:\WINDOWS\system32\appvy.exe
O4 - HKLM\..\RunOnce: [ipju32.exe] C:\WINDOWS\system32\ipju32.exe
O23 - Service: Workstation NetLogon Service ( 11FÃŸÃ¤#Â·ÂºÃ„Ã–`I) - Unknown owner - C:\WINDOWS\system32\ntsg32.exe (file missing)
With all other programs and browsers closed, click fix checked.

[*]Delete the following files:

C:\WINDOWS\system32\appvy.exe
C:\WINDOWS\system32\ipju32.exe
C:\WINDOWS\system32\ntsg32.exe

[*]Clean out temporary files:

Start | Run | type cleanmgr | OK
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Click "OK" to remove them.
Click "Yes" to confirm the deletion.

[*]Restart your computer normally to return to normal mode.

[*]Free TrendMicro Housecall scan:

You'll need to use Internet Explorer or Netscape browsers to run this scan.
Vist the TrendMicro Housecall website.
Select your country from the drop-down list and click "Go".
Choose "Yes" at the ActiveX Security Warning prompt.
Please wait while the Housecall engine is updated.
Select the drives to be scanned by placing a check in their respective boxes.
Check the "Auto Clean" box.
Click "SCAN" in order to begin scanning your system.
Please be patient while Housecall scans your system for malicious files.
If not auto-cleaned, remove anything it finds.
Click "Close" to exit the Housecall scanner.
Choose "Yes" at the HouseCall message prompt.

[*]Prepare your reply:

Please post a fresh HijackThis log as a reply to this thread.
Please post the AboutBuster log.
Please note any complications you had.

Rick210468 · May 12, 2005

Alan,

I have followed the intructions that you provided. At point 5 the instruction stated to delete the following files

C:\WINDOWS\system32\appvy.exe

C:\WINDOWS\system32\ipju32.exe

C:\WINDOWS\system32\ntsg32.exe

I did this by going to search under start and searched for each file. The last one did not appear. I checked for it three times in order to be sure.

Also, in point 4 the only files that appeared and that I checked were:

04 - HKLM\..\Run:[appvy.exe]C:\WINDOWS\system32\appvy.exe

04 - HKLM\..\RunOnce[ipju32.exe]C:\WINDOWS\system32\ipju.exe

So I checked the boxes and clicked on fix checked.

Here is the about blaster log:

Scanned at: 18:46:45 on: 12/05/2005

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 26

Removed Data Streams:

C:\WINDOWS\KB885835.log:azuht

C:\WINDOWS\opt_5030.ini:vgqlz

C:\WINDOWS\Q323183.log:abzru

C:\WINDOWS\SLSPTLNO.INI:pdani

Removed! : C:\WINDOWS\hswjz.dat

Removed! : C:\WINDOWS\system32\ekrge.dat

Attempted Clean Of Temp folder.

Pages Reset... Done!

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 26

Removed Data Streams:

C:\WINDOWS\KB885835.log:azuht

C:\WINDOWS\opt_5030.ini:vgqlz

C:\WINDOWS\Q323183.log:abzru

C:\WINDOWS\SLSPTLNO.INI:pdani

Attempted Clean Of Temp folder.

Pages Reset... Done!

Here is the hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 18:50:34, on 12/05/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Roderick Thorn\Desktop\HijackThis.exe

O1 - Hosts: 84.66.219.98 cfm.zapto.org

O1 - Hosts: 70.85.147.68 forum.iamnotageek.com

O1 - Hosts: 66.197.95.135 gallys.40somethingmag.com

O1 - Hosts: 66.35.253.32 housecall.trendmicro.com

O1 - Hosts: 207.246.157.244 oldsexlinks.com

O1 - Hosts: 67.138.240.11 primehostreviews.com

O1 - Hosts: 66.28.176.86 shadow.atkingdom.com

O1 - Hosts: 207.246.157.249 spunkermovies.com

O1 - Hosts: 195.171.171.21 www.bankofscotland.co.uk

O1 - Hosts: 67.43.1.57 www.besttechie.net

O1 - Hosts: 66.55.148.147 www.cosmic-cum.com

O1 - Hosts: 66.28.176.236 www.erotiqlinks.com

O1 - Hosts: 194.60.170.7 www.experian.co.uk

O1 - Hosts: 63.105.4.85 www.hsbc.com

O1 - Hosts: 66.250.223.113 www.localfoxes.net

O1 - Hosts: 64.255.176.12 www.naughtyofficegallery.com

O1 - Hosts: 63.105.4.113 www.offshore.hsbc.com

O1 - Hosts: 205.241.15.113 www.offshore.hsbc.com

O1 - Hosts: 212.227.253.104 www.safer-networking.org

O1 - Hosts: 69.50.130.78 www.snakesworld.com

O1 - Hosts: 69.50.130.77 www.sonofsnake.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe

O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [appvy.exe] C:\WINDOWS\system32\appvy.exe

O4 - HKLM\..\RunOnce: [ipju32.exe] C:\WINDOWS\system32\ipju32.exe

O4 - HKLM\..\RunOnce: [javaml.exe] C:\WINDOWS\javaml.exe

O4 - HKLM\..\RunOnce: [addjw32.exe] C:\WINDOWS\addjw32.exe

O4 - HKLM\..\RunOnce: [appsk32.exe] C:\WINDOWS\appsk32.exe

O4 - HKLM\..\RunOnce: [mfcgm.exe] C:\WINDOWS\mfcgm.exe

O4 - HKLM\..\RunOnce: [ielg32.exe] C:\WINDOWS\system32\ielg32.exe

O4 - HKLM\..\RunOnce: [d3os.exe] C:\WINDOWS\system32\d3os.exe

O4 - HKLM\..\RunOnce: [iptm32.exe] C:\WINDOWS\iptm32.exe

O4 - HKLM\..\RunOnce: [apixw.exe] C:\WINDOWS\apixw.exe

O4 - HKLM\..\RunOnce: [ipod.exe] C:\WINDOWS\system32\ipod.exe

O4 - HKLM\..\RunOnce: [appby32.exe] C:\WINDOWS\appby32.exe

O4 - HKLM\..\RunOnce: [netat.exe] C:\WINDOWS\netat.exe

O4 - HKLM\..\RunOnce: [javaev.exe] C:\WINDOWS\javaev.exe

O4 - HKLM\..\RunOnce: [mfcfj32.exe] C:\WINDOWS\system32\mfcfj32.exe

O4 - HKLM\..\RunOnce: [ntyh32.exe] C:\WINDOWS\ntyh32.exe

O4 - HKLM\..\RunOnce: [appdk.exe] C:\WINDOWS\system32\appdk.exe

O4 - HKLM\..\RunOnce: [ntqp32.exe] C:\WINDOWS\system32\ntqp32.exe

O4 - HKLM\..\RunOnce: [d3xi32.exe] C:\WINDOWS\system32\d3xi32.exe

O4 - HKLM\..\RunOnce: [ipdd.exe] C:\WINDOWS\system32\ipdd.exe

O4 - HKLM\..\RunOnce: [ipiz.exe] C:\WINDOWS\ipiz.exe

O4 - HKLM\..\RunOnce: [appwb32.exe] C:\WINDOWS\appwb32.exe

O4 - HKLM\..\RunOnce: [sysfc.exe] C:\WINDOWS\sysfc.exe

O4 - HKLM\..\RunOnce: [javalw32.exe] C:\WINDOWS\javalw32.exe

O4 - HKLM\..\RunOnce: [sdkwc32.exe] C:\WINDOWS\sdkwc32.exe

O4 - HKLM\..\RunOnce: [mfcke.exe] C:\WINDOWS\mfcke.exe

O4 - HKLM\..\RunOnce: [winar.exe] C:\WINDOWS\system32\winar.exe

O4 - HKLM\..\RunOnce: [mfcev.exe] C:\WINDOWS\mfcev.exe

O4 - HKLM\..\RunOnce: [ippo32.exe] C:\WINDOWS\system32\ippo32.exe

O4 - HKLM\..\RunOnce: [apisy32.exe] C:\WINDOWS\apisy32.exe

O4 - HKLM\..\RunOnce: [ipmj.exe] C:\WINDOWS\system32\ipmj.exe

O4 - HKLM\..\RunOnce: [crin32.exe] C:\WINDOWS\system32\crin32.exe

O4 - HKLM\..\RunOnce: [ntrv.exe] C:\WINDOWS\system32\ntrv.exe

O4 - HKLM\..\RunOnce: [sdkfk32.exe] C:\WINDOWS\system32\sdkfk32.exe

O4 - HKLM\..\RunOnce: [sdklh32.exe] C:\WINDOWS\sdklh32.exe

O4 - HKLM\..\RunOnce: [atlqd32.exe] C:\WINDOWS\atlqd32.exe

O4 - HKLM\..\RunOnce: [sdktp32.exe] C:\WINDOWS\sdktp32.exe

O4 - HKLM\..\RunOnce: [d3yt.exe] C:\WINDOWS\system32\d3yt.exe

O4 - HKLM\..\RunOnce: [crzb32.exe] C:\WINDOWS\crzb32.exe

O4 - HKLM\..\RunOnce: [javanq.exe] C:\WINDOWS\system32\javanq.exe

O4 - HKLM\..\RunOnce: [crtn.exe] C:\WINDOWS\system32\crtn.exe

O4 - HKLM\..\RunOnce: [mfchr.exe] C:\WINDOWS\system32\mfchr.exe

O4 - HKLM\..\RunOnce: [d3bd.exe] C:\WINDOWS\system32\d3bd.exe

O4 - HKLM\..\RunOnce: [sdkqk.exe] C:\WINDOWS\system32\sdkqk.exe

O4 - HKLM\..\RunOnce: [sysgf32.exe] C:\WINDOWS\system32\sysgf32.exe

O4 - HKLM\..\RunOnce: [ipgf.exe] C:\WINDOWS\system32\ipgf.exe

O4 - HKLM\..\RunOnce: [mfckr32.exe] C:\WINDOWS\system32\mfckr32.exe

O4 - HKLM\..\RunOnce: [winig.exe] C:\WINDOWS\winig.exe

O4 - HKLM\..\RunOnce: [javahw32.exe] C:\WINDOWS\javahw32.exe

O4 - HKLM\..\RunOnce: [netxe32.exe] C:\WINDOWS\system32\netxe32.exe

O4 - HKLM\..\RunOnce: [ipfu.exe] C:\WINDOWS\ipfu.exe

O4 - HKLM\..\RunOnce: [netgu.exe] C:\WINDOWS\system32\netgu.exe

O4 - HKLM\..\RunOnce: [d3vj.exe] C:\WINDOWS\d3vj.exe

O4 - HKLM\..\RunOnce: [sdkly32.exe] C:\WINDOWS\system32\sdkly32.exe

O4 - HKLM\..\RunOnce: [javaej.exe] C:\WINDOWS\system32\javaej.exe