Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MY Hijack This log file.... Expert please help me


  • Please log in to reply
7 replies to this topic

#1 jackoff

jackoff

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 03 April 2005 - 04:43 AM

Dear all experts......
i got lots of troble on my computer.....
i infected virus or spyware after scan with trend micro i found out that
it is about blank spyware (se.dll)
my explorer is always popup and always shows me annoying message
such as "your system is infected with SPY'WARE"
and every times i open IE it show about blank page on address bar ...
but it shows a web page like " Search for........"
i cannot even check my email ..... coz after i sign in it will redirect to
about blank page....

Below is my hijack this file....


Logfile of HijackThis v1.99.1
Scan saved at 17:23:31, on 3/4/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\TEMP\STA647.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\English\Desktop\remove virus\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\English\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\English\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: (no name) - {278DB691-E61C-4A9B-8951-076E15ADC195} - C:\WINDOWS\System32\dkom.dll
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\Program Files\KuroM7\CallToolBar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: KuroBar - {37DE7A73-1E01-47d6-BB9B-99BEDB7A22E2} - C:\Program Files\KuroM7\KuroBar.dll
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [yelwmpcg] C:\WINDOWS\System32\vmjkrexj.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Sanook! QQ.lnk = C:\Program Files\QQ\Sanook QQ\QQ.exe
O4 - Global Startup: ฬฺัถQQ.lnk = C:\Program Files\QQ\Sanook QQ\QQ.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_3721_assist (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ\Sanook QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Sanook! QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ\Sanook QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://www.virusscan.au.edu/officescan/con...ll/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://www.virusscan.au.edu/officescan/con...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://www.virusscan.au.edu/officescan/con...stall/setup.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://webphone.cncbb.net/component/ver5.4...wbaxuiph544.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.in.th/com/EGamesPlugin.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://www.virusscan.au.edu/officescan/con.../RemoveCtrl.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/hotbar...rams/hotbar.cab
O16 - DPF: {A3ED3A2E-8846-4C3D-AEF4-875EFF9E675F} (VeaCtrlX Control) - http://www.virusscan.au.edu/ControlManager...ctivex/VEAX.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A853F71-49B6-4064-8F88-44354640D8A7}: NameServer = 203.144.255.71,203.144.255.72
O18 - Filter: text/html - {77846431-F258-4B36-A660-6AD78C53F12D} - C:\WINDOWS\System32\dkom.dll
O18 - Filter: text/plain - {77846431-F258-4B36-A660-6AD78C53F12D} - C:\WINDOWS\System32\dkom.dll
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:31 AM

Posted 03 April 2005 - 04:15 PM

Please download and extract the following file:

http://www.derbilk.de/SpSeHjfix111.zip

Run the program and then post the resulting log along with a new hijackthis log.

#3 jackoff

jackoff
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 05 April 2005 - 07:31 AM

(4/5/48 20:15:43) SPSeHjFix started v1.1.2
(4/5/48 20:15:43) OS: WinXP Service Pack 1 (5.1.2600)
(4/5/48 20:15:43) Language: Thai
(4/5/48 20:15:43) Win-Path: C:\WINDOWS
(4/5/48 20:15:43) System-Path: C:\WINDOWS\System32
(4/5/48 20:15:43) Temp-Path: C:\DOCUME~1\English\LOCALS~1\Temp\
(4/5/48 20:15:50) Disinfection started
(4/5/48 20:15:50) Bad-Dll(IEP): c:\docume~1\english\locals~1\temp\se.dll
(4/5/48 20:15:50) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\dkom.dll
(4/5/48 20:15:50) Searchassistant Uninstaller - Keys Deleted
(4/5/48 20:15:50) UBF: 6 - UBB: 4 - UBR: 11
(4/5/48 20:15:50) FilterKey: HKCR\text/html (deleted)
(4/5/48 20:15:50) FilterKey: HKCR\CLSID\{418C80E8-561E-412E-A3E6-C6052506DE74} (deleted)
(4/5/48 20:15:50) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/5/48 20:15:50) FilterKey: HKCR\text/plain (deleted)
(4/5/48 20:15:50) FilterKey: HKCR\CLSID\{418C80E8-561E-412E-A3E6-C6052506DE74} (error while deleting)
(4/5/48 20:15:50) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/5/48 20:15:50) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04BBF59E-D8DF-4E26-97B2-3DCD5D5BDB58} (deleted)
(4/5/48 20:15:50) BHO-Key: HKCR\CLSID\{04BBF59E-D8DF-4E26-97B2-3DCD5D5BDB58} (deleted)
(4/5/48 20:15:50) UBF: 4 - UBB: 3 - UBR: 11
(4/5/48 20:15:50) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\english\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\english\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/5/48 20:15:50) Stealth-String not found
(4/5/48 20:15:50) File added to delete: c:\windows\system32\dkom.dll
(4/5/48 20:15:50) Reboot


(4/5/48 20:19:30) SPSeHjFix started v1.1.2
(4/5/48 20:19:30) OS: WinXP Service Pack 1 (5.1.2600)
(4/5/48 20:19:30) Language: ไทย
(4/5/48 20:19:30) Win-Path: C:\WINDOWS
(4/5/48 20:19:30) System-Path: C:\WINDOWS\System32
(4/5/48 20:19:30) Temp-Path: C:\DOCUME~1\English\LOCALS~1\Temp\
(4/5/48 20:20:07) Disinfection started
(4/5/48 20:20:07) Bad-Dll(IEP): c:\docume~1\english\locals~1\temp\se.dll
(4/5/48 20:20:07) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\dkom.dll
(4/5/48 20:20:07) Searchassistant Uninstaller - Keys Deleted
(4/5/48 20:20:07) UBF: 6 - UBB: 4 - UBR: 11
(4/5/48 20:20:07) FilterKey: HKCR\text/html (deleted)
(4/5/48 20:20:07) FilterKey: HKCR\CLSID\{5C2265CE-4354-4058-9692-131A0CB644B7} (deleted)
(4/5/48 20:20:07) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/5/48 20:20:07) FilterKey: HKCR\text/plain (deleted)
(4/5/48 20:20:07) FilterKey: HKCR\CLSID\{5C2265CE-4354-4058-9692-131A0CB644B7} (error while deleting)
(4/5/48 20:20:07) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/5/48 20:20:07) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39682D61-7849-4810-B903-EA26036BF13E} (deleted)
(4/5/48 20:20:07) BHO-Key: HKCR\CLSID\{39682D61-7849-4810-B903-EA26036BF13E} (deleted)
(4/5/48 20:20:07) UBF: 4 - UBB: 3 - UBR: 11
(4/5/48 20:20:07) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\english\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\english\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/5/48 20:20:07) Stealth-String not found
(4/5/48 20:20:07) File added to delete: c:\windows\system32\dkom.dll
(4/5/48 20:20:07) Reboot


(4/5/48 20:21:22) SPSeHjFix started v1.1.2
(4/5/48 20:21:22) OS: WinXP Service Pack 1 (5.1.2600)
(4/5/48 20:21:22) Language: Thai
(4/5/48 20:21:22) Win-Path: C:\WINDOWS
(4/5/48 20:21:22) System-Path: C:\WINDOWS\System32
(4/5/48 20:21:22) Temp-Path: C:\DOCUME~1\English\LOCALS~1\Temp\
(4/5/48 20:22:10) Disinfection started
(4/5/48 20:22:10) Bad-Dll(IEP): (not found)
(4/5/48 20:22:10) Bad-Dll(IEP) in BHO: (not found)
(4/5/48 20:22:10) UBF: 4 - UBB: 3 - UBR: 11
(4/5/48 20:22:10) UBF: 4 - UBB: 3 - UBR: 11
(4/5/48 20:22:10) Bad IE-pages: (none)
(4/5/48 20:22:10) Stealth-String not found
(4/5/48 20:22:10) Not infected->END

#4 jackoff

jackoff
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 05 April 2005 - 07:32 AM

After run SPSeHjFix.exe i rescan with HijackThis Here is the result

Logfile of HijackThis v1.99.1
Scan saved at 20:30:50, on 5/4/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\PED4C2.EXE
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hotbar\Bin\4.6.1.0\HbSrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera 8 Beta\Opera.exe
C:\Documents and Settings\English\Desktop\remove virus\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\Program Files\KuroM7\CallToolBar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: KuroBar - {37DE7A73-1E01-47d6-BB9B-99BEDB7A22E2} - C:\Program Files\KuroM7\KuroBar.dll
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [yelwmpcg] C:\WINDOWS\System32\vmjkrexj.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Sanook! QQ.lnk = C:\Program Files\QQ\Sanook QQ\QQ.exe
O4 - Global Startup: ฬฺัถQQ.lnk = C:\Program Files\QQ\Sanook QQ\QQ.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_3721_assist (file missing)
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ\Sanook QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Sanook! QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ\Sanook QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://www.virusscan.au.edu/officescan/con...ll/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://www.virusscan.au.edu/officescan/con...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://www.virusscan.au.edu/officescan/con...stall/setup.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://webphone.cncbb.net/component/ver5.4...wbaxuiph544.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.in.th/com/EGamesPlugin.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://www.virusscan.au.edu/officescan/con.../RemoveCtrl.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/hotbar...rams/hotbar.cab
O16 - DPF: {A3ED3A2E-8846-4C3D-AEF4-875EFF9E675F} (VeaCtrlX Control) - http://www.virusscan.au.edu/ControlManager...ctivex/VEAX.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A853F71-49B6-4064-8F88-44354640D8A7}: NameServer = 203.144.255.71,203.144.255.72
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:31 AM

Posted 05 April 2005 - 10:22 AM

Do you know what this is?

O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

If not fix it with the items below.


Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

QQ
Hotbar
Shopper Reports

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\Program Files\KuroM7\CallToolBar.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O3 - Toolbar: KuroBar - {37DE7A73-1E01-47d6-BB9B-99BEDB7A22E2} - C:\Program Files\KuroM7\KuroBar.dll
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\Bin\4.6.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [yelwmpcg] C:\WINDOWS\System32\vmjkrexj.exe
O4 - Startup: Sanook! QQ.lnk = C:\Program Files\QQ\Sanook QQ\QQ.exe
O4 - Global Startup: ฬฺัถQQ.lnk = C:\Program Files\QQ\Sanook QQ\QQ.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ\Sanook QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Sanook! QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ\Sanook QQ\QQ.EXE
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/hotbar...rams/hotbar.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\Program Files\ShopperReports\
C:\Program Files\KuroM7\
C:\Program Files\Hotbar\
C:\WINDOWS\System32\vmjkrexj.exe
C:\Program Files\QQ\

Reboot your computer to go back to normal mode and post a new log.

#6 jackoff

jackoff
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 08 April 2005 - 10:57 PM

Thankyou for your kind helping me......
i just have free time to follow your instruction
after i follow your instruction....................
Here is the result.....................



Logfile of HijackThis v1.99.1
Scan saved at 11:53:52, on 9/4/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\JHE74.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\English\Desktop\remove virus\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/...nger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://www.virusscan.au.edu/officescan/con...ll/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://www.virusscan.au.edu/officescan/con...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://www.virusscan.au.edu/officescan/con...stall/setup.cab
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://webphone.cncbb.net/component/ver5.4...wbaxuiph544.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://www.virusscan.au.edu/officescan/con.../RemoveCtrl.cab
O16 - DPF: {A3ED3A2E-8846-4C3D-AEF4-875EFF9E675F} (VeaCtrlX Control) - http://www.virusscan.au.edu/ControlManager...ctivex/VEAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A853F71-49B6-4064-8F88-44354640D8A7}: NameServer = 203.144.255.71,203.144.255.72
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:31 AM

Posted 08 April 2005 - 11:02 PM

Looks good to me...how does it feel to you?

#8 jackoff

jackoff
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 PM

Posted 08 April 2005 - 11:15 PM

MR.Grinler......................... :flowers: :trumpet:

Thankyou very much for your helping me...
my computer is now clean from antispyware....
i do not have to format my system.... so happy :inlove: :cool: :thumbsup:

i don't know how to thanks you....
thank you agin ..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users