Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popup Problems


  • Please log in to reply
11 replies to this topic

#1 huMAC

huMAC

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:05:06 AM

Posted 21 August 2007 - 07:40 AM

I keep getting popup from outerinfo and other places and I don't know how to remove them. Can someone take a look at my logs


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:57 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bkav2006\Bkav2006.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\DOCUME~1\Chau\MYDOCU~1\RACLE~1\fast.exe
C:\WINDOWS\?asks\?ttrib.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {686D1CAA-A565-DDB1-4B10-8D8DBC5387B4} - C:\WINDOWS\system32\bigc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B5722269-C9A2-B077-DAD9-E1ABAE0253E1} - C:\WINDOWS\system32\zkoidr.dll
O4 - HKLM\..\Run: [BkavFw] C:\Program Files\Bkav2006\Bkav2006.exe TASKBAR
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Cili] "C:\DOCUME~1\Chau\MYDOCU~1\RACLE~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Pyjgrx] C:\WINDOWS\?asks\?ttrib.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7547 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 21 August 2007 - 07:46 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum huMAC :thumbsup:
My name is Richie and i'll be helping you to fix your problems.#

First of all you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:05:06 AM

Posted 21 August 2007 - 07:57 AM

I downloaded clanwin antivirus protection yesterday how come it said i have no virus protection? oh well, I will go download AVG.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 21 August 2007 - 08:01 AM

You have indeed installed Clamwin,i did'nt see it,carry on with the Combofix instructions then please.
Posted Image
Posted Image

#5 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:05:06 AM

Posted 21 August 2007 - 08:09 AM

Well I found a generic6.NCZ during the AVG scan, do i delete it?

C:\\Windows\stystem32\zkoidr.dll

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 21 August 2007 - 08:13 AM

Yes indeed,please delete that.
Posted Image
Posted Image

#7 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:05:06 AM

Posted 21 August 2007 - 09:33 AM

ComboFix 07-08-20 - "Chau" 2007-08-21 9:22:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -6:00]






and heres my new hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33, on 2007-08-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\ComboFix\catchme.cfexe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Bkav2006\Bkav2006.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {686D1CAA-A565-DDB1-4B10-8D8DBC5387B4} - C:\WINDOWS\system32\bigc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B5722269-C9A2-B077-DAD9-E1ABAE0253E1} - C:\WINDOWS\system32\zkoidr.dll (file missing)
O4 - HKLM\..\Run: [BkavFw] C:\Program Files\Bkav2006\Bkav2006.exe TASKBAR
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Pyjgrx] C:\WINDOWS\?asks\?ttrib.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7850 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 21 August 2007 - 09:44 AM

Post the entire contents of C:\Combofix.txt please,don't post the ComboFix-quarantined-files.txt unless I ask.
Posted Image
Posted Image

#9 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:05:06 AM

Posted 21 August 2007 - 09:51 AM

I did a new one, here you go.



ComboFix 07-08-20 - "Chau" 2007-08-21 9:46:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.679 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 07:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 19:32 <DIR> d-------- C:\Program Files\ClamWin
2007-08-20 19:32 <DIR> d-------- C:\DOCUME~1\Chau\APPLIC~1\.clamwin
2007-08-20 19:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\.clamwin
2007-08-20 19:09 <DIR> d-------- C:\DOCUME~1\Chau\.housecall6.6
2007-08-15 08:34 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-06 12:37 <DIR> d--hs---- C:\found.001
2007-08-06 10:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-06 10:47 2,712 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-06 10:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-06 10:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-06 10:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-04 18:15 <DIR> d-------- C:\Program Files\NoAds
2007-08-01 19:57 <DIR> d-------- C:\Program Files\WinPcap
2007-07-30 07:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-29 14:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-28 23:18 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-28 18:17 <DIR> d-------- C:\DOCUME~1\Chau\APPLIC~1\Nexon
2007-07-28 09:52 <DIR> d--hs---- C:\WINDOWS\Kg


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 09:27 --------- d-------- C:\Program Files\Plaxo
2007-08-21 09:26 877254 --a------ C:\WINDOWS\system32\drivers\SysLib.sys
2007-08-21 09:26 32149 --a------ C:\WINDOWS\system32\drivers\BkavAuto.sys
2007-08-20 19:33 --------- d-------- C:\DOCUME~1\Chau\APPLIC~1\.clamwin
2007-08-20 19:33 --------- d-------- C:\DOCUME~1\Chau\APPLIC~1\.clamwin
2007-08-20 13:14 --------- d-------- C:\Program Files\Bkav2006
2007-08-15 08:34 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-15 06:48 --------- d-------- C:\Program Files\Warcraft III
2007-08-14 22:49 --------- d-------- C:\DOCUME~1\Chau\APPLIC~1\LimeWire
2007-08-14 22:49 --------- d-------- C:\DOCUME~1\Chau\APPLIC~1\LimeWire
2007-07-19 13:09 --------- d-------- C:\Program Files\WC3Banlist
2007-07-19 12:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-28 18:01 88696 --a------ C:\WINDOWS\system32\Packet.dll
2007-06-28 18:01 68224 --a------ C:\WINDOWS\system32\WanPacket.dll
2007-06-28 18:01 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2007-06-28 18:01 42512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2007-06-28 18:01 240240 --a------ C:\WINDOWS\system32\wpcap.dll
2007-06-26 09:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 08:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:37 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:37 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 02:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 02:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 02:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 02:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 02:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 02:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 02:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 02:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 02:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 02:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 02:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 02:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 02:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 02:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 02:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 02:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 02:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 04:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-01-31 10:40 327712 --a------ C:\DOCUME~1\Chau\APPLIC~1\errorsafefree_new[1].exe
2006-11-08 17:43 20890 --a------ C:\Program Files\MuError.dmp


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{686D1CAA-A565-DDB1-4B10-8D8DBC5387B4}]
C:\WINDOWS\system32\bigc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5722269-C9A2-B077-DAD9-E1ABAE0253E1}]
C:\WINDOWS\system32\zkoidr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BkavFw"="C:\Program Files\Bkav2006\Bkav2006.exe" [2006-07-25 17:23]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 02:00]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-06-25 09:17]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 21:00]
"EPSON Stylus Photo R300 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 02:00]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 16:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-23 02:17]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-21 07:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 12:42]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 04:17]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-12 19:13]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" []
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 12:31]
"Aim6"="" []
"Pyjgrx"="C:\WINDOWS\?asks\?ttrib.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnsc"=C:\WINDOWS\system32\msnsc.exe

C:\DOCUME~1\Chau\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"=0 (0x0)

R2 SysLib;SysLib;C:\WINDOWS\system32\drivers\SysLib.sys
R3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
S3 basic1;basic1;\??\C:\Documents and Settings\Chau\Desktop\Basic Engine\Basic Engine\basic.sys
S3 cheetah1;cheetah1;\??\C:\Documents and Settings\Chau\Desktop\ce13\cheetah.sys
S3 g0wkudr1ver;g0wkudr1ver;\??\C:\Documents and Settings\Chau\My Documents\My Downloads\MS\super\g0wku.sys
S3 geebers12;geebers12;\??\C:\Documents and Settings\Chau\Desktop\Buffy_Install\Buffy Engine 2.1\nvid888.sys
S3 GGK;GGK;\??\C:\Documents and Settings\Chau\Desktop\Basic Engine\Basic Engine\ggk.sys
S3 iCheat1;iCheat1;\??\C:\Documents and Settings\Chau\Desktop\iCheat13-\iCheat13-\nvid999.sys
S3 kaspersky1;kaspersky1;\??\C:\Documents and Settings\Chau\Desktop\Kaspersky_Engine_2\kaspersky.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 sejt1;sejt1;\??\C:\Documents and Settings\Chau\Desktop\AkumaEngine33\AkumaEngine33\sejt.sys
S3 xp1;xp1;\??\C:\Documents and Settings\Chau\Desktop\xpengine\xp.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys
S3 zenos1;zenos1;\??\C:\Documents and Settings\Chau\Desktop\zenosengine2[1].5\zenosengine2.5\zenos.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 09:49:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************


Completion time: 2007-08-21 9:50:07
C:\ComboFix-quarantined-files.txt ... 2007-08-21 09:50

--- E O F ---

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 21 August 2007 - 10:08 AM

You have Bkav2006 and AVG7,and ClamWin installed.
Its definitely not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the others as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the three conflicting with each other.
I suggest you uninstall Bkav2006,and one of the other two,then restart your pc.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {686D1CAA-A565-DDB1-4B10-8D8DBC5387B4} - C:\WINDOWS\system32\bigc.dll (file missing)
O2 - BHO: (no name) - {B5722269-C9A2-B077-DAD9-E1ABAE0253E1} - C:\WINDOWS\system32\zkoidr.dll (file missing)
O4 - HKCU\..\Run: [Pyjgrx] C:\WINDOWS\?asks\?ttrib.exe

Exit Hijackthis.

Find and delete:
C:\Documents and Settings\Chau\Application Data\errorsafefree_new[1].exe

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 huMAC

huMAC
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Barling, AR
  • Local time:05:06 AM

Posted 21 August 2007 - 10:57 AM

Heres the superantispyware log

___________________________________________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/21/2007 at 10:43 AM

Application Version : 3.9.1008

Core Rules Database Version : 3290
Trace Rules Database Version: 1301

Scan type : Complete Scan
Total Scan Time : 00:24:20

Memory items scanned : 377
Memory threats detected : 0
Registry items scanned : 4987
Registry threats detected : 15
File items scanned : 25668
File threats detected : 163

Trojan.VirtualDNS
HKLM\Software\Classes\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}#AppID
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\Control
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\InprocServer32
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\InprocServer32#ThreadingModel
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\MiscStatus
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\MiscStatus\1
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\ProgID
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\ToolboxBitmap32
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\TypeLib
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\Version
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\VersionIndependentProgID
C:\WINDOWS\VIRTUALDNS.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Chau\Cookies\chau@1068064317[1].txt
C:\Documents and Settings\Chau\Cookies\chau@revsci[2].txt
C:\Documents and Settings\Chau\Cookies\chau@html[1].txt
C:\Documents and Settings\Chau\Cookies\chau@adlegend[1].txt
C:\Documents and Settings\Chau\Cookies\chau@tribalfusion[1].txt
C:\Documents and Settings\Chau\Cookies\chau@atdmt[2].txt
C:\Documents and Settings\Chau\Cookies\chau@www.burstnet[1].txt
C:\Documents and Settings\Chau\Cookies\chau@msnportal.112.2o7[1].txt
C:\Documents and Settings\Chau\Cookies\chau@2o7[1].txt
C:\Documents and Settings\Chau\Cookies\chau@atwola[1].txt
C:\Documents and Settings\Chau\Cookies\chau@login.tracking101[2].txt
C:\Documents and Settings\Chau\Cookies\chau@ads.pointroll[1].txt
C:\Documents and Settings\Chau\Cookies\chau@ad.interclick[2].txt

Adware.Zango Toolbar/Hb
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoOI\dynamic
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoOI\static
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoOI
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoOL\dynamic
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoOL\static
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoOL
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1.sdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1384715.sdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1404739.sdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\ASPL1.dat
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\hstat\3474.dat
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\hstat
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\17025
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\18019
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\2021
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\20513
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\224717
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\26340
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\26664
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\27414
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\290893
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\29115
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\29532
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\32137
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\34267
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\35047
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\37135
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\44769
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\44878
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\4949
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\5246
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\531510
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\572769
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\578081
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\624703
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\65762
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\66566
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\66852
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\67226
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\68016
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\703336
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\73415
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\80193
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\82292
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\82306
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\83634
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\92893
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\93110
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\93950
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\93951
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\93952
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\95678
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\95704
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\95725
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\98248
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\ustat
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\btntrans1.dat
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\buttondir.txt
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\components.cdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\default.cdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_511745-514279.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_categorize.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_comparison.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_explorer-people.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_favorites.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Games.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Hide.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Hotmail.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_hsskin.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemster.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemsterie.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jobsearch.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Mails.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_new.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_premium.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_reun.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_ringtones.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_searchfor.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_searchgo.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_weather.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_yellowpages.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_other.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-t1-bg.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\icons2.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\keywords.idx
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\keywords1.dat
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\layout.cdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\linkpathlegal.txt
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\progress.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\sales_buttons.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\s_icons_buttons.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\t2_bg.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\theweb.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\top7.cdf
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Top7_theweb.mnu
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\tsd_bg.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\zango.res
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\buttondir.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\default.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\icons2.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords1.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\layout.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\progress.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\samplegroups2reg.txt
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\samplegroups2reg.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\top7.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\zango.xip
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0\ZangoToolbar
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\v3.0
C:\Documents and Settings\Chau\Application Data\ZangoToolbar\zbar.log
C:\Documents and Settings\Chau\Application Data\ZangoToolbar

Adware.AdSponsor/ISM
HKU\S-1-5-21-1229272821-1993962763-682003330-1003\Software\antica

Adware.ClickSpring
C:\QooBox\Quarantine\C\WINDOWS\ASKS~1\TTRIBE~1.VIR

Trojan.ErrorSafe
C:\RECYCLER\S-1-5-21-1229272821-1993962763-682003330-1003\DC2.EXE

______________________________________________________________________________

And here is my Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:44 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab50997.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7823 bytes


I'm going to mess around and see if any popup will appear. Thanks so much Richie

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 21 August 2007 - 11:38 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\Qoobox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users