# Solved: Windows crashed my computer too



## SPANKIE64 (Feb 12, 2010)

I too was affected by the update this week..I am a novice at best who has been searching for answers since my Sony vaio went down this week (windows xp). I do not have a cd as it was built into my computer when I bought in in 03. What do you do if you do not have a cd?? I am typing this using Ubuntu by linex..have not down loaded it to my computer..is on a disk that my son got from his friend. I am getting two different error messages now. They are: 1) INF file txtsetup.sif is corrupt or missing, status 14. 2) in my bios IDE primary slave not detected. can anyone help me? Thank you.


----------



## Macboatmaster (Jan 15, 2010)

When you say "affected by the update". To what extent please.


----------



## SPANKIE64 (Feb 12, 2010)

After the update ran this week 2/09/10, i turned off my computer for the evening, updates ran, when I turned it on in the morning, I got a black screen that said windows was unable to start up and I needed to reboot using one of several options listed on the screen. There were several different options. I selected them one at a time and the computer kept turning off and re booting to no avail. I tried safe mode, normal mode, last good something mode...nothing worked. When i try to do safe mode I just get a boot options menu where I can select what to boot first. When I turn on the computer a blank screen comes up saying "INF file txtsetup.sif is corrupt or missing. Status 14. Press any key to exit" After hitting a key it just reboots and brings the same screen up.

I supposedly found a solution online. Then I went to a friends house and burned ubuntu on a CD. I also took 3 files off of their computer and put them on a flash drive. They were boot.ini, ntldr, and NTDETECT.COM. Then I went onto ubuntu on my PC and replace the ones on the flash drive with the ones on my PC. No luck. 

At the bios menu (Hit F2 At startup) one of the things says under IDE Devices, "IDE Primary Slave Not Detected." 
Is that bad? We have 1 128GB hard drive split into a C &D Drive. Is that a problem? What should it show on the screen?

How do i fix my pc?


----------



## LauraMJ (Mar 18, 2004)

Hi,

This thread may be of help to you. It has links in it to other threads with more information.

http://forums.techguy.org/windows-xp/902282-windows-update.html


----------



## Midseven (Feb 10, 2010)

Fix your BSOD with this : http://social.answers.microsoft.com/...c-e292b69f2fd1

After that, you can check my post where I explain that a malware (rootkit named TDSS) seems to be the most probable reason. I was able to disinfect it and reapply the KB977165 without problem and NO MORE BSOD : http://forums.techguy.org/7211647-post157.html

Thank you all for your help since Tuesday.


----------



## SPANKIE64 (Feb 12, 2010)

ok, i burned the recovery console iso to a disc on a neighbors computer. Now i tried to use the repair thing and typed all of the previous commands that were posted. NONE of them worked. What exactly do i need to type on the command line? Also when i start the repair it gives me 2 options, 1.C:\i386 and 2 E:\Windows. Which one do i choose?


----------



## SPANKIE64 (Feb 12, 2010)

Jack_Stranger said:


> Sure, but that was not the case, as I scanned the old atapi.sys and it was not infected. Any possibility that any of these recent updates changed it?
> 
> Now I have a new problem as Windows update don't detect any new update, however I uninstalled all of them using the 'spuninst' method. Any thoughts?
> 
> Thank you in advance


What exactly did you type remove the update? I tried all of them but none of the commands worked.


----------



## SPANKIE64 (Feb 12, 2010)

how do i get it so the command line says C:\ WINDOWS? Mine gives me the following 2 options... 1. C:\i386 or 2. E:\ WINDOWS


----------



## SPANKIE64 (Feb 12, 2010)

I got the Xp RC on a disc from the iso someone posted. When we open the repair it gives us 2 options... 1. C:\i386 or 2. E:\WINDOWS. How do i get it to say C:\WINDOWS?


----------



## Cookiegal (Aug 27, 2003)

Please do not start threads all over the place.

I've split all of your posts off into a thread of your own. It's getting much to difficult to follow with everyone posting in one thread.

What is the drive letter of you primary drive where you windows installation is?


----------



## SPANKIE64 (Feb 12, 2010)

our c drive is where the windows installation stuff is. thanks for your help


----------



## SPANKIE64 (Feb 12, 2010)

Can someone please help we have been without our computer for days now.


----------



## Macboatmaster (Jan 15, 2010)

You TYPE the cmds listed on the link that LauraMJ sent you at the C:\Windows cmd prompt.
If you are not at the C cmd prompt but C cmd with something else,
Type "cd\" and Enter that will take you to just the C prompt.
Sorry saw your message C:\ is Windows.
The saw your post above re C:\ and E:\

Your normal windows load is on E, the C:\i386 is more than likely just a backup of windows.
TYPE ON E:\Windows.


----------



## SPANKIE64 (Feb 12, 2010)

kk thanks. i just tried on E:\ this command. CHDIR $NtUninstallKB977165$\spuninst with no luck


----------



## LauraMJ (Mar 18, 2004)

You have to type the ENTIRE list of directions. There are five commands to type. You need to do ALL of them. Hit "enter" after each command.


----------



## SPANKIE64 (Feb 12, 2010)

LauraMJ said:


> You have to type the ENTIRE list of directions. There are five commands to type. You need to do ALL of them. Hit "enter" after each command.


I know but i cant even get the first one to work.


----------



## Macboatmaster (Jan 15, 2010)

LauraMJ
I have never known a Microsoft update cause problems to so many people. I can not believe that this is all down to pre-exisiting viruses.. Can you?


----------



## Cookiegal (Aug 27, 2003)

Are you not getting an E:\WINDOWS prompt or is it just and E:\ prompt?


----------



## LauraMJ (Mar 18, 2004)

Macboatmaster said:


> LauraMJ
> I have never known a Microsoft update cause problems to so many people. I can not believe that this is all down to pre-exisiting viruses.. Can you?


Actually, yeah, I can......XP's SP3 did the same thing to a lot of people.....mostly because the computer had a registry file associated with a particular company's image that conflicted with the service pack, or because the OS was compromised, such as malware or an illegal installation. If I remember correctly, there was another update that did this sort of thing, too, but I can't remember the details now.

General consensus is that the vast majority of the problems with this update is because of malware (rootkit) on the computer when the update was applied. Either in the atapi.sys file or another driver file.


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Are you not getting an E:\WINDOWS prompt or is it just and E:\ prompt?


Mine is E:\WINDOWS?


----------



## Macboatmaster (Jan 15, 2010)

SPANKIE64.
My advice is to take a breather. You have been at this a long time now.
Have a break come back and take it step by step.
YOU TYPE ALL the cmds in the link provided by Cookiegal.
AT the E:\Windows - prompt
AND then press enter.
The E:\ prompt on its own is for OTHER cmds such as the chkdsk cmd etc.
YOU want to amend the Windows directory, so that Windows will load.
JUST TAKE YOUR TIME


----------



## SPANKIE64 (Feb 12, 2010)

ok i got the first to work but the second is not. (BATCH spuninst.txt) It is saying access denied 15 times.


----------



## SPANKIE64 (Feb 12, 2010)

SPANKIE64 said:


> ok i got the first to work but the second is not. (BATCH spuninst.txt) It is saying access denied 15 times.


Going to church can someone find an answer for me? Also when i chose E:\WINDOWS it told me to put in the admin password. I hit enter because i dont think we ever used one. But it accepted the blank password.


----------



## Cookiegal (Aug 27, 2003)

What does your command prompt look like now?


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> What does your command prompt look like now?


E:\WINDOWS\$NTUNINSTALLKB977165$\SPUNINST How do i get the next command to work?


----------



## Macboatmaster (Jan 15, 2010)

Look at the attachment. It is a Word doc.
SEE THE amendment at the bottom of the page. THERE IS NO SPACE bwteen the last identifier of the update and the $ .
Follow the instructions. 
Type EACH cmd and then press Enter.


----------



## SPANKIE64 (Feb 12, 2010)

Macboatmaster said:


> Look at the attachment. It is a Word doc.
> SEE THE amendment at the bottom of the page. THERE IS NO SPACE bwteen the last identifier of the update and the $ .
> Follow the instructions.
> Type EACH cmd and then press Enter.


K. The first one works but the scond command doesnt. Also can you post the contents off the attachment because i am using my wireless internet & my wii to access help from this site. So i cant view it.


----------



## Cookiegal (Aug 27, 2003)

SPANKIE64 said:


> ok i got the first to work but the second is not. (BATCH spuninst.txt) It is saying access denied 15 times.


Did you see it running down files and putting up Access Denied messages or did you get those messages only once, each time you tried the comand?

My thinking is it might have worked as some files will be in use and access is denied to those files.

I would try the exit command (no need to do the systemroot one) and see if that works and then reboot and see if boots to windows.


----------



## LauraMJ (Mar 18, 2004)

> Also can you post the contents off the attachment because i am using my wireless internet & my wii to access help from this site. So i cant view it.


It was just re-iterating the command process:

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB978262$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. Repeat steps 2 - 4 for each of the following updates:

* KB978262
* KB971468
* KB978037
* KB975713
* KB978251
* KB978706
* KB977165
* KB975560
* KB977914

6. When complete, type this command: exit


----------



## Macboatmaster (Jan 15, 2010)

Follow these steps:

1. Boot from your Windows XP CD or DVD and start the recovery console

Once you are in the Repair Screen_.._
2. Type this command: CHDIR $NtUninstall*KB978262* $\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. Repeat steps 2 - 4 for each of the following updates provided by FindMeFollowMe

· KB978262
· KB971468
· KB978037
· KB975713
· KB978251
· KB978706
· KB977165
· KB975560
· KB977914
6. When complete, type this command: _exit_
*NOTE There is no space between the last identifier of the update and the $*

*Macboatmaster*


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Did you see it running down files and putting up Access Denied messages or did you get those messages only once, each time you tried the comand?
> 
> My thinking is it might have worked as some files will be in use and access is denied to those files.
> 
> I would try the exit command (no need to do the systemroot one) and see if that works and then reboot and see if boots to windows.


They only thing that popped up was 15 access denied messages. Rebooting still gave me the "INF File txtsetup.sif is corrupt or missing".


----------



## Macboatmaster (Jan 15, 2010)

LauraMJ
We must have both started the reply at the same time.


----------



## SPANKIE64 (Feb 12, 2010)

SPANKIE64 said:


> They only thing that popped up was 15 access denied messages. Rebooting still gave me the "INF File txtsetup.sif is corrupt or missing".


OK so how do i get the BATCH command to work on the the first update. When i enter it i get a Access Is Denied message.


----------



## Cookiegal (Aug 27, 2003)

This E drive may in fact be the recovery partition. The primary drive may be on C but is not being recognized.

This computer is very old and there may be problems with the drive itself. I would slave it to another computer to retrieve any important documents, photos, things like that and then do a reset to factory settings.


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> This E drive may in fact be the recovery partition. The primary drive may be on C but is not being recognized.
> 
> This computer is very old and there may be problems with the drive itself. I would slave it to another computer to retrieve any important documents, photos, things like that and then do a reset to factory settings.


The C drive is saying C:\i386 so how do i get it to say C:\WINDOWS
FYI: The Sony Vaio computer is 7 years old. Is this old for a computer?


----------



## SPANKIE64 (Feb 12, 2010)

Ok i went on ubuntu and removed all the spuninst.txt files from all the different specified folders manually. Didn't work. The difference is i don't get a BSoD but a black screen saying "INF file txtsetup.sif is corrupt or missing status 14". So is the error for a different reason?


----------



## Macboatmaster (Jan 15, 2010)

http://support.kaspersky.com/viruses/solutions?qid=208280684
Go to this link.
Download the zipped file, to another computer. Extract to a floppy.
Go back to the BSOD computer
Access the Recovery console
Go to a cmd prompt.
If you have E:\Windows
type \cd
That will produce a cmd prompt
Insert the floppy.
Use the copy cmd. to copy the floppy to the E:\
run the Kapersky.


----------



## SPANKIE64 (Feb 12, 2010)

Read my previous post. We dont have a BSoD.


----------



## TheOutcaste (Aug 8, 2007)

Sounds like the drive letters are just different. I wouldn't expect the uninstall folder to exist on the recovery partition. I believe the Sony Recovery partition is first partition on the disk, so the drive letters in the Recovery Console will not be the same as when booted to Windows. In the recovery Console it's probably assigning letters like this: C:=Recovery, D:=CD, E:=XP

I don't know where you got the idea to remove all the *spuninst.txt *files. Those files are necessary in order to remove the associated update. If you can, you need to put all of those files back into their proper folders.

If you can't replace those files, you probably won't be able to check this:
When you get to the *E:\WINDOWS\$NtUninstallKB977165$\spuninst>* Prompt, type this:
*type spuninst.txt*
One of the first lines you'll see listed is this:
*DEL "c:\windows\$hf_mig$\kb977165\sp2qfe\ntkrnlmp.exe"*

If it shows *C:\Windows* instead of *E:\Windows*, then the drive letters in the Recovery Console are not the same as when booted to Windows.
If you have a floppy drive, you can copy the following text in the code block into notepad. Save it on the floppy as *spuninst.txt*
Boot to the Recovery Console and log into *E:\Windows*.
Type the following at the prompt:
*batch A:\spuninst.txt*

If you don't have a floppy, you can type each line one at a time at the prompt to manually remove the update. Or you can delete and copy the files using Ubuntu

```
DEL  "E:\windows\$hf_mig$\kb977165\sp2qfe\ntkrnlmp.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp2qfe\ntkrnlpa.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp2qfe\ntkrpamp.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp2qfe\ntoskrnl.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3gdr\ntkrnlmp.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3gdr\ntkrnlpa.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3gdr\ntkrpamp.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3gdr\ntoskrnl.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3qfe\ntkrnlmp.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3qfe\ntkrnlpa.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3qfe\ntkrpamp.exe"
DEL  "E:\windows\$hf_mig$\kb977165\sp3qfe\ntoskrnl.exe"
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrnlmp.exe" "E:\windows\driver cache\i386\ntkrnlmp.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe" "E:\windows\driver cache\i386\ntkrnlpa.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrpamp.exe" "E:\windows\driver cache\i386\ntkrpamp.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe" "E:\windows\driver cache\i386\ntoskrnl.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe" "E:\windows\system32\ntkrnlpa.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe" "E:\windows\system32\ntoskrnl.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrnlmp.exe" "E:\windows\system32\dllcache\ntkrnlmp.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe" "E:\windows\system32\dllcache\ntkrnlpa.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntkrpamp.exe" "E:\windows\system32\dllcache\ntkrpamp.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe" "E:\windows\system32\dllcache\ntoskrnl.exe" 
COPY  "E:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.txt" "E:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.tag"
```
As for the IDE Slave message in the BIOS, if you only have one hard drive, that message just means the system doesn't see a 2nd drive attached. Nothing to worry about.

Did the error message about* txtsetup.sif* start before or after you copied the 3 files you took off your friends PC? I suspect their boot.ini file is not setup correctly for your system, and it's trying to boot from the Recovery Partition now instead of the Windows partition. It would be best to put your original boot.ini file back.

If you didn't back it up, you might have to rebuild it using the Recovery Console, or make a generic one in Ubuntu to give you a choice of partitions to try to boot from to find the actual Windows partition.
I suspect your friend's boot.ini is trying to boot from partition 1 and your system should be booting from partition 2.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> Sounds like the drive letters are just different. I wouldn't expect the uninstall folder to exist on the recovery partition. I believe the Sony Recovery partition is first partition on the disk, so the drive letters in the Recovery Console will not be the same as when booted to Windows. In the recovery Console it's probably assigning letters like this: C:=Recovery, D:=CD, E:=XP
> 
> I don't know where you got the idea to remove all the *spuninst.txt *files. Those files are necessary in order to remove the associated update. If you can, you need to put all of those files back into their proper folders.
> 
> ...


THANK YOU! i will try this tommorow. Thanks for telling me about the bios thing. As far as the error, i got it before doing the thing on my friends pc. I first got the error after booting after the Feb 9th Windows update.


----------



## Macboatmaster (Jan 15, 2010)

Spankie64
Sorry about introducing BSOD, it had been mentioned, before I made the mistake of repeating it.
I still think, as indeed do others who have tried to help that the cause is the update, NOT IN ITSELF,
but an already existing corruption by malware.
I think as per the Outcaste`s post that the recovery console is already included on the Sony, providing that the partition on the hard drive has not been re-written at some stage.
I have PM`d you with a link to that information .
That all said, I would follow the last advice from Outcaste. He is clearly more experienced at the
Recovery Console than me.
If that advice fails, I would go back to my suggestion of the Kapersky.
By running that, you can not be in a worse state than you are now.


----------



## Cookiegal (Aug 27, 2003)

I found it odd that there would be a spuninst folder on a recovery partition as well but didn't understand why the difference in the driver letters. Thanks for explaining that Jerry. 

Please follow TheOutCaste's instructions as this is now out of my element. I will watch and learn from the sidelines. 

But I will add that yes, seven years is old for a computer, that's not to say it's no more good by any means, but it's a long time to go without a reformat to refresh things as much can become corrupt over the years.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutCaste: Regarding the files i need to delete, why does the second half say to copy instead of delete?


----------



## Macboatmaster (Jan 15, 2010)

SPANKIE64
Do not be annoyed, but a lot of people have spent a lot of time trying to help you.
You are lucky to get the Outcaste on your thread.
He will not say that , so I will say it for him.
If you had looked he is a trusted advisor with special permissions.
You are deleting the parts of the update that placed entries in the ntKernal. Do not concern yourself with what this is.
You are then reinstalling by using Copy.
I advise you just do do as he tells you.
Hopefully you will follow his advice.

Having read LauraMJ`s response on Post45 below, some people may think my reply was a little harsh. If he thought that I apologise. Had I have been in his position, I would have worded the query differently. 
SPANKIE64 Best of luck.


----------



## LauraMJ (Mar 18, 2004)

Macboatmaster said:


> SPANKIE64
> Do not be annoyed, but a lot of people have spent a lot of time trying to help you.
> You are lucky to get the Outcaste on your thread.
> He will not say that , so I will say it for him.
> ...





> TheOutCaste: Regarding the files i need to delete, why does the second half say to copy instead of delete?


It's perfectly okay to ask questions when you want to be sure things are accurate......we all make mistakes when typing, so if one does not understand something, or it seems confusing, it's always best to ask for clarification.

It's also the best way to learn more about the areas you don't have a lot of knowledge about.  

Like our motto on the Homepage says: "There is no such thing as a stupid question....." :up:


----------



## SPANKIE64 (Feb 12, 2010)

Macboatmaster said:


> SPANKIE64
> Do not be annoyed, but a lot of people have spent a lot of time trying to help you.
> You are lucky to get the Outcaste on your thread.
> He will not say that , so I will say it for him.
> ...


Mac, I truly apologize, I am just frustrated trying to fix this for my family. I did not mean to question the directive, I just wanted to understand the copy instruction. Can you tell me, in ubuntu, do I select the files, then right click and select copy? I already deleted the files that outcaste told me to. Thank you so much for you understanding and guidance.


----------



## Macboatmaster (Jan 15, 2010)

SPANKIE64
Thanks for that.
I advise you to get the Outcaste back on the thread.
May I suggest, a new post, asking him to come back.


----------



## Cookiegal (Aug 27, 2003)

Macboatmaster said:


> SPANKIE64
> Thanks for that.
> I advise you to get the Outcaste back on the thread.
> May I suggest, a new post, asking him to come back.


I'm sorry but I have to point out that this is not the proper procedure. We don't "get" people back in threads and it's not appropriate to bump unless at least 24 hours has gone by. I have no doubt TheOutcaste will continue here. Everyone just needs to be patient please.


----------



## TheOutcaste (Aug 8, 2007)

SPANKIE64 said:


> TheOutCaste: Regarding the files i need to delete, why does the second half say to copy instead of delete?


The first part deletes the updated files from the *$hf_mig$* folder so future updates won't get confused about which version of those files are currently installed.
The second part restores the original versions by copying them back to the various locations that Windows saves those files. It keeps several copies, mainly so Windows File Protection can restore them if they become corrupted or modified.
The update saved the previous versions in the *$NtUninstallKB977165$ *folder.

I'm pretty rusty on Ubuntu, but if you can right click the file and chose copy, you can then click in the destination folder, then right click and chose paste.

I can fire up a Ubuntu box and find out if you give me a few minutes.


----------



## TheOutcaste (Aug 8, 2007)

Fired up Ubuntu 7.1, managed to remember my username and password (OK, it did take two tries), and looks like you can right click the file, choose copy, then change to the destination folders, and right click and paste it into the different locations.
You only need to do the copy once, then can paste it into each of the different folders.
If you get a prompt about the file already existing, choose yes to overwrite the existing file, as we want to restore the original version from before the update.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> The first part deletes the updated files from the *$hf_mig$* folder so future updates won't get confused about which version of those files are currently installed.
> The second part restores the original versions by copying them back to the various locations that Windows saves those files. It keeps several copies, mainly so Windows File Protection can restore them if they become corrupted or modified.
> The update saved the previous versions in the *$NtUninstallKB977165$ *folder.
> 
> ...


Thanks for the help. I just now copied the files from the original location, as you stated in your previous post, and pasted them into the specified location using ubuntu. When I pasted the files into the folders you specified, an alert popped up saying that the files were already there and gave me an option to cancel or replace the existing files. I chose to replace. Was this correct?

Also, on multiple files that were to be deleted, they were not there and were already deleted. For instance, the folders, sp2qfe, and sp3gdr were NOT there. Is that bad?

As far as me deleting the spuninst.txt files. I copied the contents of the file that you posted and opens OpenOffice.org Writer and pasted it in there. It gives me the option to save it as a .txt file. What locations should I put it in to correct my mistakes? Also, how do i get it to be a .tag file when copy & pasting it to the new location in the uninstall folder?

THANKS SOOO MUCH FOR YOUR HELP, ITS VERY MUCH APPRECIATED!


----------



## TheOutcaste (Aug 8, 2007)

Replacing was the correct choice.


SPANKIE64 said:


> I already deleted the files that outcaste told me to.





SPANKIE64 said:


> Also, on multiple files that were to be deleted, they were not there and were already deleted. For instance, the folders, sp2qfe, and sp3gdr were NOT there. Is that bad?


I'm confused. Sounds like you already deleted the files from the *sp2qfe* and *sp3gdr* folders, so the files won't be there. The folders should unless you also deleted them.

Are you sure you were in the *$hf_mig$* folder? This is a hidden folder, so in ubuntu, click on *View | Show Hidden Files* (or press CTRL+H).
Ubuntu ignores the *$*, so the folder should be right after *Help*, rather than one of the first folders.

The *spuninst.txt* file is different for each folder, so you can't use this one for any folder other than the *$NtUninstallKB977165\spuninst * folder.
You can save it as a *.txt* file, then highlight the file and click *Edit | Rename* or press *F2*. You can then change the *.txt* extension to *.tag*

Though if Windows sees itself on C: the file should also have the letter C: instead of E:, but since we've manually uninstalled the update it shouldn't matter.

Once the cause of the problem with this update is fixed, be it malware or something else, I would just delete the *$NtUninstallKB977165* folder before reinstalling the update.

Once we get this so you can boot back to Windows, Cookiegal may have some stuff for you to do to check for a rootkit.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> Replacing was the correct choice.
> 
> I'm confused. Sounds like you already deleted the files from the *sp2qfe* and *sp3gdr* folders, so the files won't be there. The folders should unless you also deleted them.
> 
> ...


The *sp2qfe* and *sp3gdr *folders are'nt there. I am sure I was in the *$hf_mig$* folder, it was after the "Help" folder and I had to click the view hidden files button.

I Also then saved the spunist file in the *$NtUninstallKB977165\spuninst * folder. Then I renamed it to spuninst.tag.

I proceeded to reboot and I still got the "INF File txtsetup.sif if corrupt or missing, status 14." error.


----------



## TheOutcaste (Aug 8, 2007)

Which version of Ubuntu are you using? You can click *System | About Ubuntu* to get the version numbers. I'm using a rather old one, so it may be quite different that what you are using, which could be confusing.
Can you find the *E:\boot.ini* file and post the contents of that file here.
Also check to see if there is a *C:\boot.ini* file. If so, paste it as well.
I suspect Ubuntu will show those as sda1 for C: and sda2 for the E drive


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> Which version of Ubuntu are you using? You can click *System | About Ubuntu* to get the version numbers. I'm using a rather old one, so it may be quite different that what you are using, which could be confusing.
> Can you find the *E:\boot.ini* file and post the contents of that file here.
> Also check to see if there is a *C:\boot.ini* file. If so, paste it as well.
> I suspect Ubuntu will show those as sda1 for C: and sda2 for the E drive


I'm not understanding 100% of what you are saying. I have a C Drive that has my windows stuff in it. But when I run the recovery console it show it as E. My E Drive when I am running windows is my DVD/CD-RW drive. Are you asking for the one that my computer runs of and is on the drive that windows is on?

Ubuntu Shows 3 Different Drives.

100GB (Is my D-Drive on Windows 100% Positive, has no boot.ini.)
15GB (Is my C-Drive on Windows 100 Positive, has boot.ini.)
5.4GB( I have never seen this before, has no boot.ini.)

I cant get open-office.org to open up my 15GB:\boot.ini. so I uploaded it for download.

http://www.sendspace.com/file/3zr4nb

Thanks again for your help. 
I am running version 9.10 of Ubuntu.


----------



## TheOutcaste (Aug 8, 2007)

Not sure why Open Office won't open the file, but you should be able to just double click the file, then choose Display Contents and it will open in the basic text editor. But I downloaded it so doesn't really matter.

Let's check this, this works in the 9.10 version of Ubuntu:

Click on *Application | Accessories | Terminal*
In the window that opens type *sudo parted* and press *Enter*.
the Prompt should change to *(parted)*
Type *Print All* and press *Enter*.

There should be a section that looks like this (yours should have 3 entries):

```
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      32.3kB  11.4GB  11.4GB  primary  ntfs         boot 
 2      11.4GB  22.0GB  10.6GB  primary  ext3
```
Highlight that table, copy it (*Edit | Copy*, or *CTRL+SHIFT+C*) then you can paste that into your next reply.


----------



## SPANKIE64 (Feb 12, 2010)

```
Number  Start   End     Size    Type      File system  Flags
 1      32.3kB  5379MB  5379MB  primary   ntfs         boot
 2      5379MB  20.4GB  15.0GB  primary   ntfs
 3      20.4GB  120GB   99.6GB  extended               lba
 5      20.4GB  120GB   99.6GB  logical   ntfs
```


----------



## TheOutcaste (Aug 8, 2007)

If you closed the Terminal Window, re-open it:
Click on *Application | Accessories | Terminal*
In the window that opens type *sudo parted* and press *Enter*.
the Prompt should change to *(parted)*
Type the following commands, and press *Enter* after each. There must be a space between the different colors.
*set 1 boot off
set 2 boot on*
*Print All*
Confirm that #2 now has the boot flag and #1 does not.
These two commands will exit the Parted program, and close the Terminal Window
*quit
exit*

Reboot, and let's see if that gets you back into Windows. Looks like the boot flag got set to the Recovery Partition instead of the Windows partition, and the above commands will change that back.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> If you closed the Terminal Window, re-open it:
> Click on *Application | Accessories | Terminal*
> In the window that opens type *sudo parted* and press *Enter*.
> the Prompt should change to *(parted)*
> ...


I did everything you said to do, now I get get a black screen. It says Windows did not start sucessfully. It then gives 5 options.
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration
Know what do i do?


----------



## TheOutcaste (Aug 8, 2007)

Try Safe Mode first, see if that will boot.

If not, restart the PC, and tap F8 about twice a second to get the *Advanced Options Menu* to display.
Choose *Disable automatic restart on system failure*
Should be about 4th from the bottom.
This will hopefully stop the system on a Blue screen with a stop error and possibly some more info. Copy the Technical info part and paste that here.
You'll have to power off the PC to restart from this screen.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> Try Safe Mode first, see if that will boot.
> 
> If not, restart the PC, and tap F8 about twice a second to get the *Advanced Options Menu* to display.
> Choose *Disable automatic restart on system failure*
> ...


I hit F8 twice and i keep getting a boot options menu. It gives me 3 options.
SM-SONY DVD RW DW-U12A
1st FLOPPY DRIVE
PM-ST3120022A


----------



## TheOutcaste (Aug 8, 2007)

Try tapping F5 instead, or, select the PM-ST3120022A then start tapping F8 again.


----------



## SPANKIE64 (Feb 12, 2010)

When i click on "disable automatic restart on system failure" it gives me one option to choose that says. "Microsoft WinXP (on Volume 2). When I hit enter on that option it reboots and brings me back to the menu I told you about in my previous post.


----------



## TheOutcaste (Aug 8, 2007)

So it's failing before Windows gets far enough to create a Stop error message.
Let's give this a try.
Boot to the *Advanced Options Menu*
Choose *Enable Boot Logging*
Then choose the *Microsoft WinXP (on Volume 2)* entry
When it fails, boot with Ubuntu and find this file:
*Windows\ntbtlog.txt*
This may be a large file, so you'll have to attach it to your reply. Each boot with logging enabled just appends to the end of the file so it can get large. Logging is enabled when you use Safe Mode, so your previous attempts may have made this fairly large.

Under the *Quick Reply* window, click *Go Advanced*
Below the editor window you'll find a *Manage Attachments* button under Additional Options.
Click Browse, navigate to the *Windows\ntbtlog.txt* file, select it, and click Upload.

Also, check the 5 GB partition. It should have a i386 folder.
Look in that folder and see if you see these files:
*driver.cab
ntkrnlmp.exe
ntoskrnl.exe*

The extension may end with an underscore, i.e., *.ex_*
This will tell us if we have access to the files that would be on an XP Install CD, or at least the key ones that I think are causing the current problem.

From browsing the Sony website, it looks like you can create a set of Recovery Disks from the 5 GB partition, but you have to do that from within Windows. Doesn't look like they provided an option to create them if Windows doesn't boot.

Also doesn't look like there is a way to Recover the system without the disks, but that would be a last option, as that will delete everything on the drive.


----------



## SPANKIE64 (Feb 12, 2010)

Sorry, but i cant find the ntbtlog.txt file.


----------



## SPANKIE64 (Feb 12, 2010)

When I go to enable logging, it restarts the computer. Then I tried going back to the advanced menu (via F5) it still says Enable Boot Logging. Also, when I tried to disable automatic restart system failure it would also restart and have the same option still available in the advanced menu. Once again, THANK YOU for your help, I know it's been a lot, and it is much appreciated.


----------



## TheOutcaste (Aug 8, 2007)

Wow, it's failing before it can even start logging.
Let's double check the file versions, might have missed one along the way and one of the update files is still being used.
We will want to check the File size in Bytes, and the Modified Date for these 4 files. In Ubuntu, you just have to find the file, right click, then click Properties.
The 4 files to check:
*ntkrnlmp.exe
ntkrnlpa.exe
ntkrpamp.exe
ntoskrnl.exe*

Check the Size and Date (don't need time, just the date) in these two folders:
*\WINDOWS\$NtUninstallKB977165$
\WINDOWS\System32*

Be sure to note the size in Bytes, not the MB value, as that will be rounded. We need the exact size.
Also check the Size and Modified date for this file:
*\Windows\System32\hal.dll*


----------



## TheOutcaste (Aug 8, 2007)

The *Windows\System32* folder will only have these two files:
*ntkrnlpa.exe
ntoskrnl.exe*

So don't worry about the other two not being present. And if they are present, it won't hurt anything either.


----------



## SPANKIE64 (Feb 12, 2010)

*WINDOWS/$NtUninstallKB977165$/ntkrnlmp.exe*
Modified: Tue 04 Aug 2009, 2145280 bytes

*WINDOWS/$NtUninstallKB977165$/ntkrnlpa.exe*
Modified: Tue 04 Aug 2009, 2023936 bytes

*WINDOWS/$NtUninstallKB977165$/ntkrpamp.exe*
Modified: Tue 04 Aug 2009, 2023936 bytes

*WINDOWS/$NtUninstallKB977165$/ntoskrnl.exe*
Modified: Tue 04 Aug 2009, 2145280 bytes

*WINDOWS/system32/ntkrnlpa.exe*
Modified: Tue 08 Dec 2009, 2066048 bytes

*WINDOWS/system32/ntoskrnl.exe*
Modified: Tue 08 Dec 2009, 2189184 bytes

*WINDOWS/system32/HAL.DLL*
Modified: Sun 13 Apr 2008, 134400 bytes

Just caught your last post, I was worried that the 2 files were missing.


----------



## TheOutcaste (Aug 8, 2007)

OK, the update files are still in the *Windows\System32* folder.
Check these folders for the 4 files and rename them all to *.exeold* if present.
*\windows\driver cache\i386\
\windows\system32\dllcache
\windows\system32*
So:
*ntkrnlmp.exe* becomes *ntkrnlmp.exeold*
*ntkrnlpa.exe* becomes *ntkrnlpa.exeold*
*ntkrpamp.exe* becomes *ntkrpamp.exeold*
*ntoskrnl.exe* becomes *ntoskrnl.exeold*

Then copy these files:
*WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe* to *windows\system32\ntkrnlpa.exe*
*WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe* to *windows\system32\ntoskrnl.exe*
*WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe* to *windows\system32\dllcache\ntoskrnl.exe*

Then double check the dates; we want the files in *Windows\system32* and *Windows\system32\dllcache* to have the Modified: Tue 04 Aug 2009 date and not the Tue 08 Dec 2009 date


----------



## SPANKIE64 (Feb 12, 2010)

I did all the steps you specified.

As far as the dates go...

*windows\system32\ntkrnlpa.exe* Tue 04 Aug 2009
*windows\system32\ntoskrnl.exe*Tue 04 Aug 2009
*windows\system32\dllcache\ntoskrnl.exe*Tue 04 Aug 2009


----------



## TheOutcaste (Aug 8, 2007)

OK, Lets see if this will boot to Windows, or at least get farther along


----------



## SPANKIE64 (Feb 12, 2010)

Ok, will try now.


----------



## SPANKIE64 (Feb 12, 2010)

SUCCESS!!!!!!!!!!!!!
We can't express how much we appreciate your help, TheOutCaste! We have been at this since wed morning. Didn't think it was fixable. From the bottom of our hearts we thank you!


----------



## TheOutcaste (Aug 8, 2007)

Great!

Now let's make sure this doesn't automatically install itself again.

Right click My Computer, then click *Properties*
Click the *Automatic Updates* tab
Select either
*Download updates for me, but let me choose when to install them*
or
*Notify me but don't automatically download or install them.*
(this is the SP3 wording, I think SP2 is the same)

Notice on the bottom of this dialog a link to *Offer updates again that I've previously hidden*
When you get the notice that updates are availible, click the Shield icon that will be in the tray, then choose *Custom* Install
Then go through the list and if this update, KB977165, is present, uncheck it.
Then when you click OK, you'll be given an option to not show these updates again. you can select that box and it will be hidden. The link to restore hidden updates is the one noted above.

There's been a few posts indicating this may be due to malware, so you may want to make sure your AV program has the latest updates and run a scan.

I'd also recommend Malwarebytes and SUPERAntiSpyware Free Edition. These can be installed along side your AV and may find something.

Cookiegal may have some other tools to suggest if your scans don't find anything.

And you are welcome! Glad we got it working for ya.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> Great!
> 
> Now let's make sure this doesn't automatically install itself again.
> 
> ...


Thanks again. I'll download those 2 program for extra support. I will make sure to come back here if i need any other tech support in the future.


----------



## Cookiegal (Aug 27, 2003)

Thanks Jerry! Well-done indeed! :up:


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Please download Malwarebytes' Anti-Malware from *Here*.
> 
> Double Click *mbam-setup.exe* to install the application.
> 
> ...


I'm not getting the site to work . I will download and follow instruction ASAP.

On a side note, how do i set up a windows XP system restore CD, and/or a Windows XP Installation CD (Like the ones that come with the PC, not sure if this is possible).


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> *Click here* to download *HJTsetup.exe*.
> 
> Save HJTsetup.exe to your desktop.
> Double click on the HJTsetup.exe icon on your desktop.
> ...


Actually already had it on my PC .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:33 PM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\Program Files\JAVA\bin\jusched.exe
C:\program files\support.com\client\bin\tgcmd.exe
D:\Program Files\ESET\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\end user\Application Data\Microsoft\Network\svchost.exe
C:\Documents and Settings\end user\Application Data\Microsoft\Network\wuauclt.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ekrn.exe
D:\Program Files\JAVA\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SNDVOL32.EXE
D:\My Documents D Drive\Shortcuts n Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bered.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Gamevance - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - C:\Program Files\Gamevance\gamevancelib32.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\JAVA\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O2 - BHO: Gamevance Text - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files\Gamevance\gvtl.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\JAVA\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\JAVA\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: (no name) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O3 - Toolbar: Gamevance Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\JAVA\bin\jusched.exe"
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1176725704\ee\AOLSoftware.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Network Service] C:\Documents and Settings\end user\Application Data\Microsoft\Network\svchost.exe
O4 - HKCU\..\Run: [Microsoft Update Service] C:\Documents and Settings\end user\Application Data\Microsoft\Network\wuauclt.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.1; AOLBuild 4334.5006; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MEGAUPLOAD 3.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.americangirl.com/fun/agcn/addy/index.php?section=mancala"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm565LEUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/stg_drm.ocx
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/MyFunCardsInitialSetup1.0.1.1.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocountyfl.net/permit/opalplayerx5.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - 
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} (GrandSlamTrivia Control) - http://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B63E7280-1BCC-4E64-8E96-C1E7FAE5818E}: NameServer = 93.188.163.32,93.188.166.77
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.32,93.188.166.77
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.32,93.188.166.77
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.32,93.188.166.77
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\JAVA\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.rickblore.com/Downloads/PSP/3D/Images/3D28Sml.jpg
O24 - Desktop Component 1: (no name) - http://www.aolcdn.com/ch_kids/jesse_mccartney_studio_300.jpg

--
End of file - 16707 bytes

Also, do you guys have a response to the previous post i made?


----------



## LauraMJ (Mar 18, 2004)

SPANKIE64 said:


> I'm not getting the site to work . I will download and follow instruction ASAP.
> 
> On a side note, how do i set up a windows XP system restore CD, and/or a Windows XP Installation CD (Like the ones that come with the PC, not sure if this is possible).


I suggest something like Acronis True Image. This software creates an image of your entire system and allows you to store it to an external media (such as an external HDD) and also enables you to very easily and simply create a bootable CD to recover that image in the event that either your internal HDD goes bad or you can't access ANYTHING (like what just happened). You boot from the CD, and that gives you an interface that you use to browse to your external HDD and recover the last image you made.

Create an image periodically to keep things up to date or just backup selected files and folders.


----------



## SPANKIE64 (Feb 12, 2010)

LauraMJ said:


> I suggest something like Acronis True Image. This software creates an image of your entire system and allows you to store it to an external media (such as an external HDD) and also enables you to very easily and simply create a bootable CD to recover that image in the event that either your internal HDD goes bad or you can't access ANYTHING (like what just happened). You boot from the CD, and that gives you an interface that you use to browse to your external HDD and recover the last image you made.
> 
> Create an image periodically to keep things up to date or just backup selected files and folders.


Thanks!


----------



## Cookiegal (Aug 27, 2003)

I also recommend that you back up any important documents, photos, etc. now to an external drive. If there is an infection, the machine could still be unstable and you don't want to lose anything. This is until you can get Acronis and set it up, if you go that route, which is the best way to go. 

I suspect something in your hosts file is blocking the download site for MBAM but see if you can post the HijackThis log please.


----------



## TheOutcaste (Aug 8, 2007)

SPANKIE64 said:


> On a side note, how do i set up a windows XP system restore CD, and/or a Windows XP Installation CD (Like the ones that come with the PC, not sure if this is possible).


From the Vaio User Guide (You can download from *Here*):


> Your VAIO® computer is not supplied with System or Application Recovery CDs. Use the VAIO Recovery Wizard utility to
> recover your computer's operating system and preinstalled software programs.
> For more information about the VAIO Recovery Wizard utility program:
> 1. Click Start from the Windows® taskbar, and then click Help and Support.
> 2. From the VAIO Help and Support Center, click VAIO Recovery Options


Looks like it will take 2 DVDs, possibly more. The Recovery disks will restore the system to the way it was when it left the factory. Handy to have the disks, but might be much better to look into imaging software. With an image, you can restore the system to the state it was in when you created the image, and not have to got through re-installing software and updates, and removing the trial software that was included.

I too recommend Acronis True Image. Since you have a Seagate hard drive (PM-ST3120022A is a Seagate model number), Seagate has a free version of Acronis you can use called Seagate DiscWizard


----------



## LauraMJ (Mar 18, 2004)

You're welcome. Note that with the bootable CD, you can put a new HDD in a computer and even when it is completely blank, out of the box, you can still use the CD to browse to the external and place the latest image on the new HDD. Saves literally hours of setting up a computer in these situations.


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> From the Vaio User Guide (You can download from *Here*):
> Looks like it will take 2 DVDs, possibly more. The Recovery disks will restore the system to the way it was when it left the factory. Handy to have the disks, but might be much better to look into imaging software. With an image, you can restore the system to the state it was in when you created the image, and not have to got through re-installing software and updates, and removing the trial software that was included.
> 
> I too recommend Acronis True Image. Since you have a Seagate hard drive (PM-ST3120022A is a Seagate model number), Seagate has a free version of Acronis you can use called Seagate DiscWizard


Perfect! Thanks! :up:


----------



## Cookiegal (Aug 27, 2003)

Sorry, I didn't see that you had already posted the log.

Try downloading MBAM from this alternate link:

http://download.cnet.com/Malwarebyt...4572.html?part=dl-10804572&subj=dl&tag=button


----------



## SPANKIE64 (Feb 12, 2010)

Thanks, downloading now


----------



## Cookiegal (Aug 27, 2003)

I'm signing off for the night but will continue this in the morning.


----------



## SPANKIE64 (Feb 12, 2010)

An error occurred on Malwarebytes when i went to update. Should i just try to scan anyway?


----------



## TheOutcaste (Aug 8, 2007)

Click *Start | Run*, type *ncpa.cpl*, press *Enter*
This will open the *Network Connections* applet
You should have an entry named *Local Area Connection*. The name may have numbers after it, you may have more than one (with different names).
Hopefully you'll only have one that shows a status of *Connected*.
Let me know if there are multiple ones showing connected.

Right click the *Local Area Connection*, and click *Properties*. You'll get the small dialog shown on the left side below
Highlight *Internet Protocol (TCP/IP)* and click *Properties*
This will open the dialog shown on the right.
I'm guessing the *Use the following DNS server addresses: *option is selected, and the two boxes have the following addresses:
*93.188.163.32
93.188.166.77*
These numbers were put there by the malware you are infected with, and are what is stopping you from getting to the MalwareBytes website, and probably many others.
Make a note of the numbers, whatever they are.

If so, change the top box to *8.8.8.8* as shown in the picture and delete the numbers from the 2nd box. (*8.8.8.8* is one of Google's DNS servers).
Click OK on both the dialogs, then try to update MalwareBytes. Have MalwareBytes open and ready to click the update button before you click OK on the two dialogs.

The malware may change those numbers back immediately, so this might not work. I'm hoping it won't change them until a reboot, or at least give you time to start the update. Once the update starts downloading, it _shouldn't_ matter if the numbers get changed back,as DNS isn't needed after the connection is made, but only way to find out is to try.
If for some reason you can't get to any websites after changing the DNS numbers, just put the numbers you noted back in.

It's also possible that the malware has blocked these windows, and you won't be able to open these windows to change anything.


----------



## SPANKIE64 (Feb 12, 2010)

It has these connections.

Local Area Connection - Connected, Firewalled
1394 Connection - Connected, Firewalled
AOL Dialer - Disconnected, Firewalled
AOL - Disconnected, Firewalled

I did what you said and it let me updated, its now version 3741. 

Should i scan now?


----------



## TheOutcaste (Aug 8, 2007)

Yes, go ahead and follow Cookiegal's instructions. I'll take a back seat for now until she gets things cleaned up.


----------



## SPANKIE64 (Feb 12, 2010)

I scanned yesterday (Before update) and i had many infections found. It told me to restart, and I did right away.

Today after i updated, it found 2 when i scanned. I then immediately restarted.

The logs are attached.


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## SPANKIE64 (Feb 12, 2010)

What did it do to my pc? Like did it make a boot-able CD?

I also attached the 2 logs.


----------



## Cookiegal (Aug 27, 2003)

No, it didn't create a bootable CD but it did create a backup of the registry.

There's a lot to analyse and I won't be able to get to it until later on this afternoon or possibly this evening but I will post back with instructions for you later.


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
http://forums.techguy.org/malware-removal-hijackthis-logs/902465-solved-windows-crashed-my-computer.html

Collect::
C:\windows\Rciqozujitif.bin
c:\windows\Axilomatumoy.dat
c:\documents and settings\end user\Application Data\Microsoft\Network\wuauclt.exe
c:\program files\installer.js

DirLook::
C:\.Trash-999
c:\documents and settings\end user\Application Data\Microsoft\Network
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

***Note** *

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.


----------



## Cookiegal (Aug 27, 2003)

Are these batch files something you set up intentionally?

newcopy.bat
nero.bat


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Are these batch files something you set up intentionally?
> 
> newcopy.bat
> nero.bat


Nope, and I am doing what you specified right now.


----------



## Cookiegal (Aug 27, 2003)

Please do a search for these two files (they may be in system32 but may be elsewhere as well.

newcopy.bat
nero.bat

Once you find them, right click-on each one and select "edit". This should open the file up in Notepad. Then copy and paste the contents here please.


----------



## SPANKIE64 (Feb 12, 2010)

Thanks for your help. Here are the logs.


----------



## Cookiegal (Aug 27, 2003)

Please see my post no. 102.

Then, please do the following.

Download GMER from: http://gmer.net/index.php

Click on the Download exe button and save it on your desktop. It will create a oddly named exe file on your desktop. Double click that file to run it and select the rootkit tab and then press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## SPANKIE64 (Feb 12, 2010)

*WINDOWS\SYSTEM32\NEWCOPY.BAT*

@echo off
xcopy "C:\WINDOWS\c1.llf" "C:\WINDOWS\system32\Data"
end

*WINDOWS\SYSTEM32\NERO.BAT
*
@echo off
Set pomijany=
Set czyszczony=c:\Program Files\temp\
cd %czyszczony%
for /f %%d in ('dir /b /A %czyszczony%') do if not %%d EQU %pomijany% rd /q /s %%d
del /q *.*


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Please see my post no. 102.
> 
> Then, please do the following.
> 
> ...


Hey sorry for not doing it yet, I tried to do it 3 times, and my PC froze each time. I couldnt even bring up Windows Task Manager. I will do it for you tomorrow ASAP. Thanks


----------



## Cookiegal (Aug 27, 2003)

If that one won't run, try this one instead:


Download RootRepeal from the following location and save it to your desktop.
*Zip Mirrors*
Primary Mirror
Secondary Mirror
Secondary Mirror


Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.

Be sure to close all other browser windows and let the scan run without interference.


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> If that one won't run, try this one instead:
> 
> 
> Download RootRepeal from the following location and save it to your desktop.
> ...


I tried multiple times, it kept freezing at a "Loading, Please Wait" screen. I don't know what to do now.


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\SYSTEM32\NEWCOPY.BAT
C:\WINDOWS\SYSTEM32\NERO.BAT
c:\documents and settings\end user\Start Menu\Programs\Startup\nero.bat.lnk
C:\documents and settings\end user\Start Menu\Programs\Startup\newcopy.bat.lnk
c:\documents and settings\end user\Start Menu\Programs\Startup\winword.exe.lnk
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Go to the link below and upload the following file(s) for analysis and post the results are please:

http://virusscan.jotti.org/

c:\program files\Paint.exe


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Open Notepad and copy and paste the text in the code box below into it:
> 
> 
> ```
> ...


Here is the Paint.exe file, I'm doing the ComboFix thing now. Also to let you know, one day instead of making a shortcut i accidentally mode Paint.exe and didn't no where to put it, so that is why its in a weird location.

http://virusscan.jotti.org/en/scanr...b641/8b816a116533ebea5a5927c537e9b37e13e70473


----------



## Cookiegal (Aug 27, 2003)

SPANKIE64 said:


> Here is the Paint.exe file, I'm doing the ComboFix thing now. Also to let you know, one day instead of making a shortcut i accidentally mode Paint.exe and didn't no where to put it, so that is why its in a weird location.
> 
> http://virusscan.jotti.org/en/scanr...b641/8b816a116533ebea5a5927c537e9b37e13e70473


OK, that explains it then.


----------



## SPANKIE64 (Feb 12, 2010)

Here is the ComboFix log.


----------



## Cookiegal (Aug 27, 2003)

Please see if you can get GMER to run again now.


----------



## Cookiegal (Aug 27, 2003)

Also, do you have Daemon Tools installed?


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Also, do you have Daemon Tools installed?


Nope, and I'm trying GMER just about to try GMER again.


----------



## SPANKIE64 (Feb 12, 2010)

Sorry for a late reply I've been busy lately. I tried running GMER again and it worked for like 4 hours and i saved a log file after 4 hours and then it froze. So it was probably almost finished.


----------



## Cookiegal (Aug 27, 2003)

Please go to the following link and run TDSS killer:

http://support.kaspersky.com/viruses/solutions?qid=208280684

Please post the log back here.


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Please go to the following link and run TDSS killer:
> 
> http://support.kaspersky.com/viruses/solutions?qid=208280684
> 
> Please post the log back here.


That program worked great! Scanned in like 20 seconds. Log is attached. Thanks again for the help.

It said it found like 1 rootkit. It then prompted me to reboot, thus I did.


----------



## Cookiegal (Aug 27, 2003)

Yes indeed, this tool has done a wonderful job of detecting and replacing the infected atapi.sys driver with a clean one. :up:

Now please try to run GMER again and post whatever log you can get. Hopefully we will be able to get a full run this time.


----------



## SPANKIE64 (Feb 12, 2010)

It scanned from about 9 PM - 11:30 PM and i clicked save for the save log in case it would freeze (wasnt at the time) and it froze. Unlike other times, the box that had its progress in it, only had about 8 items in it. It the last thing it was scanning when it froze was this.

C:\WINDOWS\SYSTEM32\DRIVERS\ParVdm.sys


----------



## Cookiegal (Aug 27, 2003)

Can you run RootRepeal?


----------



## SPANKIE64 (Feb 12, 2010)

I will try to run RootRepeal again.


----------



## SPANKIE64 (Feb 12, 2010)

I closed all windows and tried RootRepeal. It said "Intializing Please Wait", and after about 20 minutes of that it went to a blank black screen.


----------



## Cookiegal (Aug 27, 2003)

Please drag ComboFix to the recycle bin and download it again to get the latest version and then run a new scan and post the log.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## SPANKIE64 (Feb 12, 2010)

Done.


----------



## Cookiegal (Aug 27, 2003)

I would like you to do a search for this file please and let me know the entire path to each one. Be sure to unhide files when searching.

*winword.exe*


----------



## SPANKIE64 (Feb 12, 2010)

D:\Program Files\Microsoft Office\Office12


----------



## Cookiegal (Aug 27, 2003)

So tell me then exactly what is your D drive please?


----------



## SPANKIE64 (Feb 12, 2010)

I have a C and D Drive. The C has all the windows system files. The did has about 100GB on it so i have been installing stuff to that recently.


----------



## Cookiegal (Aug 27, 2003)

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under Attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.


Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.


----------



## SPANKIE64 (Feb 12, 2010)

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 1032
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 1056
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1100
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1112
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1288
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1356
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1480
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1568
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1684
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LEXBCES.EXE
PID: 1824
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1876
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LEXPPS.EXE
PID: 1936
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 420
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ezSP_Px.exe
PID: 576
Hidden: No
Window Visible: No

Name: C:\WINDOWS\tppaldr.exe
PID: 592
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 616
Hidden: No
Window Visible: No

Name: C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
PID: 624
Hidden: No
Window Visible: No

Name: C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
PID: 668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\AGRSMMSG.exe
PID: 696
Hidden: No
Window Visible: No

Name: D:\Program Files\JAVA\bin\jusched.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\Program Files\support.com\client\bin\tgcmd.exe
PID: 724
Hidden: No
Window Visible: No

Name: D:\Program Files\ESET\egui.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 948
Hidden: No
Window Visible: No

Name: C:\Program Files\WallpaperToy\Wallpapertoy.Exe
PID: 996
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1420
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1456
Hidden: No
Window Visible: No

Name: D:\Program Files\ESET\ekrn.exe
PID: 1508
Hidden: No
Window Visible: No

Name: D:\Program Files\JAVA\bin\jqs.exe
PID: 132
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 300
Hidden: No
Window Visible: No

Name: C:\Program Files\Viewpoint\Common\ViewpointService.exe
PID: 796
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2720
Hidden: No
Window Visible: No

Name: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PID: 3852
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3296
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\end user\Desktop\SysProt\SysProt.exe
PID: 160
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\end user\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B9961000
Module End: B996C000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F89F6000
Module End: F89F8000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8906000
Module End: F8909000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F84A7000
Module End: F84D5000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F89F8000
Module End: F89FA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F8496000
Module End: F84A7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F84F6000
Module End: F8500000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F8506000
Module End: F8516000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F8516000
Module End: F8524000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F8ABE000
Module End: F8ABF000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F8776000
Module End: F877D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F89FA000
Module End: F89FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F8526000
Module End: F8531000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F8477000
Module End: F8496000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F877E000
Module End: F8783000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F8536000
Module End: F8543000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F845F000
Module End: F8477000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F8546000
Module End: F854F000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F8556000
Module End: F8563000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F843F000
Module End: F845F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F842D000
Module End: F843F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F8786000
Module End: F878B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F8416000
Module End: F842D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F8389000
Module End: F8416000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F835C000
Module End: F8389000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F8342000
Module End: F835C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F8566000
Module End: F8571000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F8596000
Module End: F85A6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F8646000
Module End: F864F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F8262000
Module End: F82FA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F824E000
Module End: F8262000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F8866000
Module End: F886C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F822A000
Module End: F824E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F886E000
Module End: F8876000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: F8206000
Module End: F822A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F8656000
Module End: F8663000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F8876000
Module End: F887C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F887E000
Module End: F8884000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F8886000
Module End: F888D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F81F2000
Module End: F8206000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8666000
Module End: F8671000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8676000
Module End: F8686000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8686000
Module End: F8695000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F81CF000
Module End: F81F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F8696000
Module End: F86A0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F8141000
Module End: F81CF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F811D000
Module End: F8141000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F86B6000
Module End: F86C5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys
Service Name: aeaudio
Module Base: F8A34000
Module End: F8A36000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: F7FFE000
Module End: F811D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F8896000
Module End: F889E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8BFA000
Module End: F8BFB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F86C6000
Module End: F86D3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F89DA000
Module End: F89DD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F7FE7000
Module End: F7FFE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F86D6000
Module End: F86E1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F86E6000
Module End: F86F2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F889E000
Module End: F88A3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F7F36000
Module End: F7F47000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F86F6000
Module End: F86FF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F88A6000
Module End: F88AB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F88AE000
Module End: F88B3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanatw4.sys
Service Name: wanatw
Module Base: F88B6000
Module End: F88BC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F8706000
Module End: F8710000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SymIM.sys
Service Name: SymIM
Module Base: F88BE000
Module End: F88C4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8A3C000
Module End: F8A3E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F7ED8000
Module End: F7F36000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F89E6000
Module End: F89EA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F8726000
Module End: F8730000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F8766000
Module End: F8775000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F8A4C000
Module End: F8A4E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F88C6000
Module End: F88CB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F8A4E000
Module End: F8A50000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8A50000
Module End: F8A52000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
Service Name: ehdrv
Module Base: EBE4B000
Module End: EBE68000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F88D6000
Module End: F88DE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: F898A000
Module End: F898E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F88DE000
Module End: F88E5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F898E000
Module End: F8991000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F85A6000
Module End: F85AF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F88E6000
Module End: F88ED000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F87EE000
Module End: F87F4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8A9C000
Module End: F8A9E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F8A9E000
Module End: F8AA0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F87FE000
Module End: F8806000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: EBE6C000
Module End: EBE6F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: BA8A3000
Module End: BA8B6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: BA84A000
Module End: BA8A3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: BA7F8000
Module End: BA81E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7F67000
Module End: F7F70000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Service Name: SymEvent
Module Base: BA7D3000
Module End: BA7F8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: BA7AB000
Module End: BA7D3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7F57000
Module End: F7F66000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Service Name: epfwtdir
Module Base: BA792000
Module End: BA7AB000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: BA770000
Module End: BA792000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7F47000
Module End: F7F50000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\SRTSPX.SYS
Service Name: SRTSPX
Module Base: EB990000
Module End: EB99A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\SCDEmu.SYS
Service Name: SCDEmu
Module Base: EB980000
Module End: EB98D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: BA71D000
Module End: BA748000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: BA6AD000
Module End: BA71D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: EB970000
Module End: EB97B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\DMICall.sys
Service Name: DMICall
Module Base: F8C09000
Module End: F8C0A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BAB87000
Module End: BAB97000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: BA66D000
Module End: BA685000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8AB0000
Module End: F8AB2000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EBE84000
Module End: EBE87000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F8816000
Module End: F881B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BACD0000
Module End: BACD1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\eamon.sys
Service Name: eamon
Module Base: BA471000
Module End: BA52D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EBE80000
Module End: EBE84000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: BA164000
Module End: BA179000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: BA5B5000
Module End: BA5C4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B9CF9000
Module End: B9D26000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B9B8A000
Module End: B9BE1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B99B9000
Module End: B99FA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B876E000
Module End: B8792000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B86A3000
Module End: B86CE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F8A98000
Module End: F8A9A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8AC5000
Module End: F8AC6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F87F6000
Module End: F87FB000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: 829918A0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: 82990CB0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 829910D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendProcess
Address: 829916D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 829914F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 82990EE0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 82991310
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: VALUED-3253602F.BELKIN:4482
Remote Address: PRODWEBMAIL-DTC04.EVIP.AOL.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1141
Remote Address: 74.125.164.210:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1139
Remote Address: IAD04S01-IN-F113.1E100.NET:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1137
Remote Address: A96-17-53-115.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1135
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1133
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1131
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1129
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1127
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:1125
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F.BELKIN:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:4481
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1142
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1140
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1138
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1136
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1134
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1132
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1130
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1128
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1126
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: LOCALHOST:1124
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:30606
Remote Address: 0.0.0.0:0
Type: TCP
Process: D:\Program Files\ESET\ekrn.exe
State: LISTENING

Local Address: VALUED-3253602F:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: VALUED-3253602F:5152
Remote Address: LOCALHOST:4358
Type: TCP
Process: D:\Program Files\JAVA\bin\jqs.exe
State: CLOSE_WAIT

Local Address: VALUED-3253602F:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: D:\Program Files\JAVA\bin\jqs.exe
State: LISTENING

Local Address: VALUED-3253602F:4481
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1620
Remote Address: LOCALHOST:1619
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1619
Remote Address: LOCALHOST:1620
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1609
Remote Address: LOCALHOST:1608
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1608
Remote Address: LOCALHOST:1609
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1140
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1138
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1136
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1134
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1132
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1130
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1128
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1126
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1124
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALUED-3253602F:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: VALUED-3253602F:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\LEXPPS.EXE
State: LISTENING

Local Address: VALUED-3253602F:641
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\support.com\client\bin\tgcmd.exe
State: LISTENING

Local Address: VALUED-3253602F:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: VALUED-3253602F:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: VALUED-3253602F.BELKIN:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: VALUED-3253602F.BELKIN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALUED-3253602F.BELKIN:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: VALUED-3253602F.BELKIN:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: VALUED-3253602F.BELKIN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALUED-3253602F:4839
Remote Address: NA
Type: UDP
Process: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
State: NA

Local Address: VALUED-3253602F:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALUED-3253602F:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALUED-3253602F:53305
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: VALUED-3253602F:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: VALUED-3253602F:1026
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: VALUED-3253602F:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: VALUED-3253602F:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: D:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: D:\System Volume Information\tracking.log
Status: Access denied

Object: D:\System Volume Information\_restore{47E7117B-18F3-4A10-B47C-105BED1BFF9B}
Status: Access denied

Object: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\29F2ADB7.TMP
Status: Access denied

Object: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8837722F.TMP
Status: Access denied

Object: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A3BE536F.TMP
Status: Access denied


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.

Please post a regular HijackThis scan log as well.

I also recommend that you change all passwords for logging in to sites or anything that requires a password on the computer.


----------



## SPANKIE64 (Feb 12, 2010)

Should i just change the important ones? Did the malware get my passwords? I don't have many passwords but my son has a lot. He used firefox, and i use Safari and AOL. He has a Profile Protecter password thing (Password you enter to just open firefox) and a Master Password that protects the firefox saved passwords. (Both are made up random combinations of letters and numbers)


----------



## Cookiegal (Aug 27, 2003)

I will reply back tomorrow with further instructions but you should assume that all passwords may have been compromised and they should all be changed. It's wise to do that after any infection. Be sure to use strong ones.


----------



## Cookiegal (Aug 27, 2003)

I'll paste the list here for easier viewing.

Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 7.0.8
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
Agere Systems AC'97 Modem
AIM 7
AOL Coach Version 1.0(Build:20020823.1)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Setup
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
AppCore
Apple Mobile Device Support
Apple Software Update
AT&T Worldnet Setup
ATI Control Panel
ATI Display Driver
Atlantis
Big Fish Games Sudoku (remove only)
Big Fish Games: Game Manager
biob
Bonjour
ccCommon
CCleaner
Cheat Engine 5.4
ChristmasTheme
Component Framework
Connect
ConvertHelper 2.2
Critical Update for Windows Media Player 11 (KB959772)
Data Doctor Recovery Pen Drive (Demo) 3.0.1.5
DB CIF Cam
Disney Pix 2.2
Disney Pix Downloader
DivX Web Player
Download Updater (AOL LLC)
EarthLink Setup
EZ Recipes
FacebookAgentSetup
FaxTools
Finding Nemo
Fishdom H2O - Hidden Odyssey
Free WMA to MP3 Converter 1.16
FrostWire 4.17.2
Google Earth Plug-in
Google Update Helper
Haunted Hotel
Hidden Expedition: Everest 
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
iSqFt Full Viewer V4.01
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_18
Java(TM) 6 Update 11
Jenkat Games Arcade 
Joydesk Games Setup - Puzzle
Kogi
kuler
Lexmark X5100 Series
Mahjong Towers Eternity 
Malwarebytes' Anti-Malware
Mario Forever 3.0
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Learning and Research Plus Support Files
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Express 7.0
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 7.0
Monopoly by Parker Brothers
Mozilla Firefox (3.5.8)
MSXML 4.0
MSXML 4.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Mystery Case Files: Huntsville - Detective Training
Mystery Case Files: Ravenhearst ®
Netscape (7.02)
Norton AntiVirus
Norton AntiVirus Help
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Office Animation Runtime
OLYMPUS CAMEDIA Master 4.1
Opal Player 2.12
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-03-18-01
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Secure Module 3.2
OpenOffice.org Installer 1.0
OTOY
Peggle World of Warcraft Edition
Photoshop Camera Raw
PictureGear Studio 2.0
Plasma Pong v1.3b
PlayStation(R)Network Downloader
PlayStation(R)Store
PowerISO
QuickTime
RealPlayer
Rosetta Stone Version 3
Safari
Scrabble Complete
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Shockwave
Sony Certificate PCH
SopCast 3.2.4
SPBBC 32bit
Stream Torrent 1.0
Suite Shared Configuration CS4
Symantec Real Time Storage Protection Component
TPP Storage Driver Installation
Treasure Seekers: Visions of Gold 
TVAnts 1.0
TVUPlayer 2.3.4.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Storage Adapter (TPP)
USB Storage Adapter V2 (TPP)
USB Storage Adapter V3 (TPP)
VAIO Help and Support
VAIO Media 2.6
VAIO Media Integrated Server 2.6
VAIO Media Redistribution 2.6
VAIO Registration
VAIO Support
VAIO Survey Standalone
VAIO System Information
VC80CRTRedist - 8.0.50727.762
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
Visual C++ 8.0 CRT (x86) WinSXS MSM
Wallpaper Changer for Windows XP
WildTangent Web Driver
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Word Search Deluxe
www.dizzler.com
Zune Desktop Theme


----------



## Cookiegal (Aug 27, 2003)

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 18 *.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 17 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with * Java Runtime Environment, JRE, J2SE or Java(TM)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

These are the older versions of Java that you need to remove via the Control Panel:

*Java 2 Runtime Environment Standard Edition v1.3.1_18
Java(TM) 6 Update 11*

Also, remove these:

*Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar*

and the one referring to the site dizzler.com to me seems dangerous. See McAfee's Site Advisor rating:

http://www.siteadvisor.pl/sites/dizzler.com/summary/

So I recommend uninstalling that as well.

Please post a new HijackThis log after doing the above and let me know how the machine is running.


----------



## SPANKIE64 (Feb 12, 2010)

Done, plus removed dizzler.


----------



## Cookiegal (Aug 27, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:15 PM, on 2/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\program files\support.com\client\bin\tgcmd.exe
D:\Program Files\ESET\egui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ekrn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\My Documents D Drive\Shortcuts n Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bered.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1176725704\ee\AOLSoftware.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.1; AOLBuild 4334.5006; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MEGAUPLOAD 3.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.americangirl.com/fun/agcn/addy/index.php?section=mancala"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/stg_drm.ocx
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocountyfl.net/permit/opalplayerx5.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - 
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} (GrandSlamTrivia Control) - http://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B63E7280-1BCC-4E64-8E96-C1E7FAE5818E}: NameServer = 8.8.8.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://www.rickblore.com/Downloads/PSP/3D/Images/3D28Sml.jpg
O24 - Desktop Component 1: (no name) - http://www.aolcdn.com/ch_kids/jesse_mccartney_studio_300.jpg

--
End of file - 14208 bytes


----------



## Cookiegal (Aug 27, 2003)

I see entries for Norton (Symantec) and Eset. Which one are you actually using?

Rescan with HijackThis, close all other browser windows, place a check mark beside the following entries and then click on "Fix Checked".

*R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource....ad/cscmv5X.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab 
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab*

Reboot and post a new HijackThis log please.


----------



## SPANKIE64 (Feb 12, 2010)

Will do what you said ASAP, I am using ESET Nod 32, i used to have norton but its kind bad.


----------



## SPANKIE64 (Feb 12, 2010)

I did what you specified, here is the log after i rebooted.


----------



## Cookiegal (Aug 27, 2003)

Do you see an entry for Eset in the Control Panel - Add or Remove programs? Because it doesn't appear in the uninstall list from HijackThis. Is Eset working properly?

Do you have any other Symantec products?


----------



## SPANKIE64 (Feb 12, 2010)

Yes its in Add or Remove Programs, and yes its working properly.


----------



## SPANKIE64 (Feb 12, 2010)

There is a windows update availible.

KB979306 Is it safe to update?

Size: 501 KB

Install this update to resolve issues caused by revised daylight saving time and time zone laws in several countries. This update enables your computer to automatically adjust the computer clock on the correct date in 2010. After you install this item, you may have to restart your computer.

More information for this update can be found at http://support.microsoft.com/KB/979306


----------



## Cookiegal (Aug 27, 2003)

Yes you can go ahead and download that update. 

So no other Symantec products?

If not, then you need to uninstall these via the Control Panel - Add or Remove programs

*Norton AntiVirus
Norton AntiVirus Help
Norton Protection Center
Symantec Real Time Storage Protection Component
*

Then, for good measure, you should also run this Norton removal tool to take care of any leftovers (which there often are):

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Please reboot and then post a new HijackThis log after you've removed the Symantec products.


----------



## SPANKIE64 (Feb 12, 2010)

None of those programs are on there, i removed them a long time ago. They are also not in my Program Files. What should i download from Symantec to remove all components? There is 13 options to download.


----------



## Cookiegal (Aug 27, 2003)

What was the version of Norton Anti-Virus that you had?


----------



## SPANKIE64 (Feb 12, 2010)

Honestly, i am not sure. I checked my hard drive and i cant find any symantec files.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis regular scan log.

And also this uninstall list again:

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.

We'll see what leftovers show and we can delete them manually.


----------



## SPANKIE64 (Feb 12, 2010)

Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 7.0.8
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
Agere Systems AC'97 Modem
AIM 7
AOL Coach Version 1.0(Build:20020823.1)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Setup
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
AppCore
Apple Mobile Device Support
Apple Software Update
AT&T Worldnet Setup
ATI Control Panel
ATI Display Driver
Atlantis
Big Fish Games Sudoku (remove only)
Big Fish Games: Game Manager
biob
Bonjour
ccCommon
CCleaner
Cheat Engine 5.4
ChristmasTheme
Component Framework
Connect
ConvertHelper 2.2
Critical Update for Windows Media Player 11 (KB959772)
Data Doctor Recovery Pen Drive (Demo) 3.0.1.5
DB CIF Cam
Disney Pix 2.2
Disney Pix Downloader
DivX Web Player
Download Updater (AOL LLC)
EarthLink Setup
EZ Recipes
FacebookAgentSetup
FaxTools
Finding Nemo
Fishdom H2O - Hidden Odyssey
Free WMA to MP3 Converter 1.16
FrostWire 4.17.2
Google Earth Plug-in
Google Update Helper
Haunted Hotel
Hidden Expedition: Everest 
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
iSqFt Full Viewer V4.01
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_18
Java DB 10.5.3.0
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Jenkat Games Arcade 
Joydesk Games Setup - Puzzle
Kogi
kuler
Lexmark X5100 Series
Mahjong Towers Eternity 
Malwarebytes' Anti-Malware
Mario Forever 3.0
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Learning and Research Plus Support Files
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Express 7.0
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 7.0
Monopoly by Parker Brothers
Mozilla Firefox (3.5.8)
MSXML 4.0
MSXML 4.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Mystery Case Files: Huntsville - Detective Training
Mystery Case Files: Ravenhearst &reg;
Netscape (7.02)
Norton AntiVirus
Norton AntiVirus Help
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Office Animation Runtime
OLYMPUS CAMEDIA Master 4.1
Opal Player 2.12
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-03-18-01
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Secure Module 3.2
OpenOffice.org Installer 1.0
OTOY
Peggle World of Warcraft Edition
Photoshop Camera Raw
PictureGear Studio 2.0
Plasma Pong v1.3b
PlayStation(R)Network Downloader
PlayStation(R)Store
PowerISO
QuickTime
RealPlayer
Rosetta Stone Version 3
Safari
Scrabble Complete
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Shockwave
Sony Certificate PCH
SopCast 3.2.4
SPBBC 32bit
Stream Torrent 1.0
Suite Shared Configuration CS4
Symantec Real Time Storage Protection Component
TPP Storage Driver Installation
Treasure Seekers: Visions of Gold 
TVAnts 1.0
TVUPlayer 2.3.4.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Storage Adapter (TPP)
USB Storage Adapter V2 (TPP)
USB Storage Adapter V3 (TPP)
VAIO Help and Support
VAIO Media 2.6
VAIO Media Integrated Server 2.6
VAIO Media Redistribution 2.6
VAIO Registration
VAIO Support

Its been a while since i downloaded HiJackThis, could that effect anything?


----------



## Cookiegal (Aug 27, 2003)

You should uninstall these:

Java 2 Runtime Environment Standard Edition v1.3.1_18
Java DB 10.5.3.0
Java(TM) SE Development Kit 6 Update 18 (you don't need this unless you're a developer. I think you downloaded it by mistake)

Open HIjackThis and click on Open the Miscellaneous Tools section.

Open the Uninstall Manager and HIghlight these Norton programs in the list:

*Norton AntiVirus
Norton AntiVirus Help
Norton Protection Center
Symantec Real Time Storage Protection Component*

Then click on Delete this entry.

Look under C:\Program Files and if you see any folders named Symantec then delete it.

After doing the above, reboot and post a new HijackThis log (please don't attach it but copy and paste it right into the post).


----------



## SPANKIE64 (Feb 12, 2010)

Java 2 Runtime Environment Standard Edition v1.3.1_18 - It gave a error (System cannot find the file specified.)
Java DB 10.5.3.0 - Uninstalled
Java(TM) SE Development Kit 6 Update 18 - Uninstalled

Remove the symantec stuff. Rebooting in a few minutes.


----------



## SPANKIE64 (Feb 12, 2010)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:14 PM, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\program files\support.com\client\bin\tgcmd.exe
D:\Program Files\ESET\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\My Documents D Drive\Shortcuts n Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bered.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1176725704\ee\AOLSoftware.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\end user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.1; AOLBuild 4334.5006; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MEGAUPLOAD 3.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.americangirl.com/fun/agcn/addy/index.php?section=mancala"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/stg_drm.ocx
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocountyfl.net/permit/opalplayerx5.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} (GrandSlamTrivia Control) - http://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B63E7280-1BCC-4E64-8E96-C1E7FAE5818E}: NameServer = 8.8.8.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://www.rickblore.com/Downloads/PSP/3D/Images/3D28Sml.jpg
O24 - Desktop Component 1: (no name) - http://www.aolcdn.com/ch_kids/jesse_mccartney_studio_300.jpg

--
End of file - 13192 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all other browser windows, place a check mark beside the following entries and then click on "Fix Checked".

*O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.1; AOLBuild 4334.5006; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MEGAUPLOAD 3.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -http://www.americangirl.com/fun/agcn/addy/index.php?section=mancala*

Go to *Start *- *Run * type in *cmd *then click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Delete ccSetMgr*

Then press Enter.

Then type *Exit *and hit Enter.

Then delete this folder:

C:\Program Files\Common Files\*Symantec Shared*

How are things now?


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Rescan with HijackThis, close all other browser windows, place a check mark beside the following entries and then click on "Fix Checked".
> 
> *O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.1; AOLBuild 4334.5006; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MEGAUPLOAD 3.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -http://www.americangirl.com/fun/agcn/addy/index.php?section=mancala*
> 
> ...


Done, my computer has been running great. Are we all done as far as malware removal?


----------



## SPANKIE64 (Feb 12, 2010)

Also windows update has 2 updates.


KB977165 (One the screwed up my PC)
KB979306

What should i do?


----------



## Cookiegal (Aug 27, 2003)

That's odd because it's listed in the uninstall list as being installed. Please check your Add-Remove Programs list in the Control Panel and let me know if you see update KB977165 listed there and if so on what date was it installed?


----------



## TheOutcaste (Aug 8, 2007)

The manual method of uninstalling an update using the Recovery Console and the spuninst.txt file doesn't remove the update from the list of installed updates in the registry, so it will still show in Add/Remove Programs, and HiJackThis will still list it. It just restores the previous files.
I think the spuninst.tag file that gets created is how Windows Update knows the update had been removed, so will offer it again.


----------



## Cookiegal (Aug 27, 2003)

Thanks Jerry. I didn't know that.


----------



## Cookiegal (Aug 27, 2003)

You do need the protection provided by the critical update KB977165 and you should be able to install it without incident but if you're hesitant to try it, you can get the same protection by doing the fix described in this MS article:

http://support.microsoft.com/kb/979682

This plugs a critical vulnerability in Windows.

If you decide to go that route then you should permanently deselect the update so it doesn't get continually offerred.

As for the other update you mentioned, I'm not aware of any problems with it so I would go ahead and download that one.


----------



## Cookiegal (Aug 27, 2003)

After posting the above, I see that MS has re-issued the updated with some safeguards so this won't happen again even on infected machines. It will check for infection and if detected it will not proceed with installation of the update. Please read about it here and I suggest that you get the update in question.

http://blogs.technet.com/msrc/archi...ate-re-released-with-new-detection-logic.aspx

And here is the download:

http://support.microsoft.com/kb/980966/


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> You do need the protection provided by the critical update KB977165 and you should be able to install it without incident but if you're hesitant to try it, you can get the same protection by doing the fix described in this MS article:
> 
> http://support.microsoft.com/kb/979682
> 
> ...


I did that. It didnt do much to my PC, it just installed. I will download the other update. (Not the 977165)

Are we all done now?


----------



## Cookiegal (Aug 27, 2003)

I would like you to post one final HijackThis log please.


----------



## SPANKIE64 (Feb 12, 2010)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:03 PM, on 3/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\program files\support.com\client\bin\tgcmd.exe
D:\Program Files\ESET\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
D:\Program Files\ESET\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Documents D Drive\Shortcuts n Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bered.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1176725704\ee\AOLSoftware.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\end user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/stg_drm.ocx
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocountyfl.net/permit/opalplayerx5.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} (GrandSlamTrivia Control) - http://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B63E7280-1BCC-4E64-8E96-C1E7FAE5818E}: NameServer = 8.8.8.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://www.rickblore.com/Downloads/PSP/3D/Images/3D28Sml.jpg
O24 - Desktop Component 1: (no name) - http://www.aolcdn.com/ch_kids/jesse_mccartney_studio_300.jpg

--
End of file - 12768 bytes


----------



## Cookiegal (Aug 27, 2003)

Please confirm that the two 024 entries are indeed images that you have chosen to display on your desktop.

Now we need to get rid of the Norton services that are still showing so please do the following:

Go to *Start *- *Run * type in *cmd *then click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Delete ccEvtMgr*

Then press Enter.

Then do the same thing again with these commands, pressing enter after each one:

*SC Delete CLTNetCnService*

*SC Delete "LiveUpdate Notice"*

*SC Delete "Symantec Core LC"*

Then reboot and post a new HijackThis log please.


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Please confirm that the two 024 entries are indeed images that you have chosen to display on your desktop.


Confirmed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:02 PM, on 3/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\program files\support.com\client\bin\tgcmd.exe
D:\Program Files\ESET\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
D:\Program Files\ESET\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\My Documents D Drive\Shortcuts n Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bered.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1176725704\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\end user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/stg_drm.ocx
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocountyfl.net/permit/opalplayerx5.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} (GrandSlamTrivia Control) - http://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B63E7280-1BCC-4E64-8E96-C1E7FAE5818E}: NameServer = 8.8.8.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://www.rickblore.com/Downloads/PSP/3D/Images/3D28Sml.jpg
O24 - Desktop Component 1: (no name) - http://www.aolcdn.com/ch_kids/jesse_mccartney_studio_300.jpg

--
End of file - 12338 bytes

Attached is a screenshot of what CMD did, one of the commands did not work.


----------



## Cookiegal (Aug 27, 2003)

The command that failed is because you mispelled it. Please redo this command:

*SC Delete CLTNetCnService*

Then reboot and post a new HijackThis log please.


----------



## SPANKIE64 (Feb 12, 2010)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:22 PM, on 3/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\program files\support.com\client\bin\tgcmd.exe
D:\Program Files\ESET\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
D:\Program Files\ESET\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\My Documents D Drive\Shortcuts n Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bered.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1176725704\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\end user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [P2kAutostart] V600
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/stg_drm.ocx
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocountyfl.net/permit/opalplayerx5.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} (GrandSlamTrivia Control) - http://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Fishdom%20H2O%20-%20Hidden%20Odyssey/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B63E7280-1BCC-4E64-8E96-C1E7FAE5818E}: NameServer = 8.8.8.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - D:\Program Files\Sony\Acid Plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - http://www.rickblore.com/Downloads/PSP/3D/Images/3D28Sml.jpg
O24 - Desktop Component 1: (no name) - http://www.aolcdn.com/ch_kids/jesse_mccartney_studio_300.jpg

--
End of file - 12253 bytes


----------



## Cookiegal (Aug 27, 2003)

All we have left to do is reset you DNS settings that were temoprarily changed to get you back on-line.

In the windows control panel, if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on *Network Connections.*

Then right click on your default connection, usually local area connection for cable and DSL, and left click on Properties. Double-click on the *Internet Protocol (TCP/IP)* item and remove the DNS address there (8.8.8.8.) then select the radio dial that says *Obtain an IP address automatically*. The one below should also be set to *Obtain DNS Server Address automatically* as well.

Click OK.

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## SPANKIE64 (Feb 12, 2010)

Thanks SOOO MUCH for your help. I cannot express how grateful i am that you helped me soo much. I though i computer was done for after the crash from the Windows Update. You have helped us for a month now consistently every day. Thanks! I will always comeback to techguy for any tech support!


----------



## Cookiegal (Aug 27, 2003)

We couldn't have done it without TheOutcaste so it's been a team effort but I'm just happy that I was able to assist as well.

You are indeed welcome.


----------



## SPANKIE64 (Feb 12, 2010)

Oh ya, THANKS SOO MUCH TheOutCaste!!!!!!!!!!!!!!!!!!!!!!!!!!

One, LAST thing.

Windows update has 5 Updates available.
*
KB978382*

Size: 8.5 MB

A security vulnerability exists in Microsoft Office Excel 2007 that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.

More information for this update can be found at http://support.microsoft.com/kb/978382

*KB978380*

Size: 7.4 MB

A security vulnerability exists in the 2007 Microsoft Office System and the Microsoft Office Compatibility Pack that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.

More information for this update can be found at http://support.microsoft.com/kb/978380

Size: 1.7 MB

*KB975561*

A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.

More information for this update can be found at http://go.microsoft.com/fwlink/?LinkId=183077

*KB979895*

Size: 3.3 MB

This update provides the Junk E-mail Filter in Microsoft Office Outlook 2007 with a more current definition of which e-mail messages should be considered junk e-mail.

More information for this update can be found at http://support.microsoft.com/kb/979895

*KB890830*

Size: 1.3 MB

After the download, this tool runs one time to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection that is found. If an infection is found, the tool will display a status report the next time that you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center, or you can run an online version from microsoft.com. This tool is not a replacement for an antivirus product. To help protect your computer, you should use an antivirus product.

More information for this update can be found at http://go.microsoft.com/fwlink/?LinkId=39987


----------



## Cookiegal (Aug 27, 2003)

Please don't be afraid of Windows updates. What happened was extremely rare and was only because of an existing infection which has nothing to do with the update itself. Critical updates and patches are needed to patch vulnerabilities that leave you open to infections. 

You should always have your data backed up to other media like an external hard drive or even better would be to get something like Acronis that can take an image of your system that can be restored in very little time should the system crash or be infected. 

http://www.acronis.com/homecomputing/products/trueimage/

I don't remember if I mentioned this earlier on in the thread but you should change all passwords for any sites you log into such as anything to do with banking or other financial transactions, etc. as a precaution.


----------



## TheOutcaste (Aug 8, 2007)

You're Welcome SPANKIE64!

Multiple backups of data, as well as an Image of the whole system can be a lifesaver. Well worth the time you spend learning about it and setting it up.
I use Acronis myself and have been quite happy with it.
If you have the right brand hard drive, there are free versions you can use. Doesn't have to be the main drive, can be an external you use for backups:
If you have a Seagate HD, you can use this, which is based on Acronis:
Seagate DiscWizard
And from Western Digital:
Acronis True Image WD Edition Software

Some other imaging software often mentioned on the forum:
*Free*:
Macrium Reflect
DriveImage XML
Easeus Todo Backup

*Commercial*:
Acronis True Image
DriveImage XML
Macrium Reflect
Norton Ghost

I'm not sure which brand hard drive Sony uses, if you are not sure of the brand of hard drive, check in *Device Manager*. The model number of the drive should be displayed, and can be used to identify the brand it it's not obvious. External drives if connected and powered on will be listed here as well.
Right click *My Computer*, click *Manage*, click *Device Manager*, then expand *Disk Drives*


----------



## SPANKIE64 (Feb 12, 2010)

TheOutcaste said:


> You're Welcome SPANKIE64!
> 
> Multiple backups of data, as well as an Image of the whole system can be a lifesaver. Well worth the time you spend learning about it and setting it up.
> I use Acronis myself and have been quite happy with it.
> ...


Ill check out all of the free ones. I can't afford to buy any right now. Once again thanks sooo much! You were an amazing help to me!


----------



## SPANKIE64 (Feb 12, 2010)

Cookiegal said:


> Please don't be afraid of Windows updates. What happened was extremely rare and was only because of an existing infection which has nothing to do with the update itself. Critical updates and patches are needed to patch vulnerabilities that leave you open to infections.
> 
> You should always have your data backed up to other media like an external hard drive or even better would be to get something like Acronis that can take an image of your system that can be restored in very little time should the system crash or be infected.
> 
> ...


Thanks for telling me about the windows updates. I was a little "iffy" on them, but not anymore. I will change any passwords that are important, though i don't bank online.


----------



## Cookiegal (Aug 27, 2003)

SPANKIE64 said:


> Thanks for telling me about the windows updates. I was a little "iffy" on them, but not anymore. I will change any passwords that are important, though i don't bank online.


It's my pleasure.


----------

