Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Howepage Resetting To Sha123.com, Chinese Pages Opening


  • This topic is locked This topic is locked
15 replies to this topic

#1 spangles

spangles

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 24 November 2006 - 10:56 AM

Hi,
I originally posted this in the wrong section, apologies, I've copied the problem and log here:

Since last night when I was searching for a TV link for the Spurs game my PC keeps opening chinese pages automatically. My homepage had been reset to www.sha123.com and the page that keeps opening now is [removed].
I also had a google style toolbar [in chinese]appear and new chinese description option in my internet options and programs.
I have unticked all the chinese options in internet options.
I ran AVG free edition, spybot and adaware. Adaware found a lot of problems and after fixing it said 4 items could not be removed without a reboot. I rebooted and ran adaware again but it did not find the problems again!
I have also tried a system restore to several points before last night but it just keeps saying cannot restore to that point.
Any help would be appreciated,

Regards,
Alan

Following buddy215s reply I have run AVG7.6 spyware.

Thanks.



Logfile of HijackThis v1.99.1
Scan saved at 14:41:19, on 24/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TRUST\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\107up.exe
C:\DOCUME~1\Alan\LOCALS~1\Temp\RarSFX3\csrss.exe
C:\Documents and Settings\Alan\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesear...esearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customse...msearch-en.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNNIC 繤Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
O3 - Toolbar: Betfair Bar - {1D62BD48-16F6-4004-A54A-3C41E4955A87} - C:\Program Files\Betfair\BFTool_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport.com/casino/totesportlauncher.cab
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.com/toolbar/setup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://82.118.120.66/cab/Live.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by spangles, 24 November 2006 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 24 November 2006 - 12:20 PM

Hello spangles and Welcome to BleepingComputer!

I am logreeval and will be helping you clean your computer. I am currently reviewing your log and will get back to you as soon as possible. :thumbsup:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#3 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 24 November 2006 - 01:30 PM

Hello Again Spangles!

Let us get started...

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after cleaning.

============================

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesear...esearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customse...msearch-en.html
O2 - BHO: CNNIC 繤Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll (file missing)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://82.118.120.66/cab/Live.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

CNNIC

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\CNNIC

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Program Files\Common Files\rundll32.exe

After that, Reboot.
==============================

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==============================

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

==============================

Please download A-squared Free from:
http://download3.emsisoft.com/a2freesetup.exe

1. Follow all the instructions given by the installer.
2. Once installed, the A-squared Updater will automatically start. Downloading updates will take some time.
3. Please then go to Start > Programs > A-squared and press "a-squared StartCenter".
4. Click "Scan your computer for malware infections".
5. Make sure all three setting options are ticked. Then press "Scan selected folders". The scan will then commence.
6. Click "Save HTML-Report". Save the report to somewhere convenient.
7. If malware is found, click the button "Remove Selected Malware".

==============================

In the event that you lose Internet access after removing CNNIC, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

==============================

In your next reply, you will have three logs to post:
1) A fresh HijackThis log
2) A-squared log
3) Uninstall list

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#4 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 25 November 2006 - 10:06 AM

Hi logreeval,
Thanks for the reply, I had forgotten to tick the email notification when reply and was patiently waiting for an email.
I've followed your instructions and pasted the logs below.
When in add/remove programs there wasn't a program called 'CNNIC' although there was one called Chinese Navigation2.5.0.3. I clicked remove but it said 'error occured while trying to remove Chinese Navigation2.5.0.3 it may have already been uninstalled. Would you like to remove Chinese etc from your Add/Remove program list' I clicked yes. Hope this is OK.
There weren't any folders called 'CNNIC' or 'rundll32.exe' in explorer.
I recognise the other programs in the add/remove list but the TVAnts progrma was, I beleive, the one I was installing when the problems started and I won't be trying to view again!
The menu options in A-squared were a bit different to your instructions so I went for the deep scan option and have posted the log below.

Hijack this uninstall list:

Ad-Aware SE Personal

Adobe Download Manager 2.0 (Remove Only)

Adobe PhotoDeluxe Home Edition 4.0

Adobe Reader 7.0.8

Adobe Photoshop Album Starter Edition 3.0

AirPlus G

ANIO Service

ANIWZCS2 Service

Arb Cruncher Calculator

Audacity 1.2.3

auto-betfair beta v1.0.58

AVG Anti-Spyware 7.5

AVG Free Edition

Awasu Personal Edition 2.1

Betfair Ashes Scoreboard 1.0

Betfair Bar

Betfair Poker

Betfair Poker

Betfair Trader

BetsPortfolio v0.40

BetTrader PRO

BetTrader PRO

Broadcom Gigabit Integrated Controller

ChromawebMT

CoralPoker (remove only)

CorelDRAW 10

CorelDRAW 10

EPSON Printer Software

Exif Viewer Ver.1.1

FUJIFILM USB Driver

Google Desktop

Google Toolbar for Internet Explorer

HijackThis 1.99.1

iTunes

J2SE Runtime Environment 5.0 Update 1

J2SE Runtime Environment 5.0 Update 2

J2SE Runtime Environment 5.0 Update 4

J2SE Runtime Environment 5.0 Update 6

Kazoo Player

LiveReg (Symantec Corporation)

LiveUpdate 2.6 (Symantec Corporation)

Lotus SmartSuite Release 9

Macromedia Flash Player 8

Macromedia Shockwave Player

Microsoft .NET Framework 1.1

Microsoft Office FrontPage 2003

Microsoft Office Professional Edition 2003

Microsoft Office Publisher 2003

Microsoft SOAP Toolkit 3.0

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox (1.5)

MSN Messenger 7.0

Nokia Multimedia Player

NVIDIA Drivers

NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers

Pacific Poker

PPLive 1.0.9.4

QuickTime

RealPlayer

Realtek AC'97 Audio

Sage Instant Payroll

Sage Line 50

Sage Payroll

SHARP AL-1000 Series

Spybot - Search & Destroy 1.4

Synacast Plug-in 1.0.9.4

Totesport Casino

TRUST BT180 USB BLUETOOTH ADAP Software

Turbo Lister

Turbo Lister 2

TVAnts 1.0

TVUPlayer 2.2.0

USB Driver Vers. 3.2

Victor Chandler Poker

Windows Media Format Runtime

Windows Media Player 10

Windows XP Hotfix - KB823980

Windows XP Hotfix - KB828741

Windows XP Hotfix - KB833407

Windows XP Hotfix - KB833987

Windows XP Hotfix - KB835732

Windows XP Hotfix - KB840987

Windows XP Hotfix - KB841356

Windows XP Hotfix - KB841533

Windows XP Hotfix - KB842773

Windows XP Hotfix - KB867282

Windows XP Hotfix - KB871250

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB873376

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890047

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB891711

Windows XP Hotfix - KB891781

WinZip

A-squared report

a-squared Free - Version 2.1



Scan settings:



Objects: Memory, Traces, Cookies, C:\

Scan archives: On

Heuristics: On

ADS Scan: On



Scan start: 25/11/2006 13:47:06



C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ detected: Trace.Directory.Baidu Bar

c:\casino detected: Trace.Directory.CarnivalCasino

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\Զ尴ť.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\µ.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\ָ.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\б.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\޸.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\ϵͳ.url detected: Trace.File.Baidu Bar

C:\Documents and Settings\All Users\Start Menu\Programs\ٶȳѰ\˽.url detected: Trace.File.Baidu Bar

C:\WINDOWS\system32\bdguard.dat detected: Trace.File.Baidu Bar

C:\WINDOWS\system32\bdguards.dat detected: Trace.File.Baidu Bar

Value: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser --> {89FDCC4B-8D91-49B0-81A6-18BCFF582735} detected: Trace.Registry.Baidu Bar

Value: HKEY_CLASSES_ROOT\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32 --> ThreadingModel detected: Trace.Registry.CNNIC Update

Value: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword --> Contexts detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32 --> ThreadingModel detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common --> Mode detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common --> Version detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common --> VersionEx detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display --> ver detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo --> InstallPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo --> KeywordBak detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo --> KwPid detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo --> Pid detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo --> UR detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct --> HoldMode detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct --> RebootReg detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct --> RedBurgee detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update --> FeedBack detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update --> LastUpdateTime detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update --> NextUpdateTime detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update --> RelayUpdate detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update --> UpdateByIE detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> CheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> DefaultValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> HKeyRoot detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> RegPath detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> UncheckedValue detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP --> ValueName detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE --> Bitmap detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT --> Bitmap detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT --> Text detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT --> Type detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> ButtonText detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> CLSID detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> ClsidExtension detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> Default Visible detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> HotIcon detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> Icon detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> MenuStatusBar detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} --> MenuText detected: Trace.Registry.CNNIC Update

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run --> CdnCtr detected: Trace.Registry.CNNIC Update

C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe detected: Heuristic.Dialer



Scanned



Files: 151021

Traces: 84481

Cookies: 29

Processes: 42



Found



Files: 1

Traces: 121

Cookies: 0

Processes: 0

Registry keys: 0



Scan end: 25/11/2006 14:37:13

Scan time: 00:50:07


New Hijack this log

Logfile of HijackThis v1.99.1

Scan saved at 14:40:27, on 25/11/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Borland\InterBase\bin\ibguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Borland\InterBase\bin\ibserver.exe

C:\WINDOWS\System32\NILaunch.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\TRUST\Bluetooth Software\BTTray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Alan\Desktop\HijackThis.exe



O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Betfair Bar - {1D62BD48-16F6-4004-A54A-3C41E4955A87} - C:\Program Files\Betfair\BFTool_4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)

O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing

O11 - Options group: [CDNCLIENT] Chinese Navigation

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab

O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport.com/casino/totesportlauncher.cab

O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.com/toolbar/setup.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Regards,

spangles.

#5 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 26 November 2006 - 10:31 AM

Sorry for bumping this, I tried to add this information to my previous post but couldn't find the edit option.

After submitting these logs my PC worked fine for the rest of the day. However I decided to try a reboot yesterday evening and it wouldnt restart. It went to a black screen saying we apologize for the inconvenience but windows didnt start successfully. A recent hardware or software change might have caused this. The message went on and gave me choices of starting in various modes. Leaving it to start normally just caused it to keep rebooting itself without getting to the windows log in screen. Choosing last known good configuration led me to another screen, blue this time, with a long message saying A problem has been detected and windows has shut down to prevent damage to your computer. If this is the first time you have seen this screen check you have adequate memory etc etc The message ended with the slightly worrying message Beginning dump of physical memory.. and I could hear the PCs fans started working overtime. I turned the pc off using the on/off switch.
I was able to start up in safe mode and safe mode with networking which were the other two options.
Anyway, this morning I turned on and it went straight in to Windows normally. After a short while a message came up saying This system has recovered from a serious error etc, there was a link for the error codes which I have written down and the option to send a report to Microsoft. I sent them the report and then got linked to a Microsoft page which said it didnt know what had caused the problem.
I rebooted again and again got the same message so sent the report to Microsoft and this time I got a link saying my video card drivers may have caused the problem.
Ive rebooted again and this time it just started normally with no messages.
Hope you can understand all this and make some sense of it!
Thanks,
spangles.

#6 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 26 November 2006 - 10:47 AM

If your computer is working fine now, try to do the following, if any more errors come up, tell me. It is alright to post on your log, the bumping rule only applies to when you have not been helped.

Also, could you please not double space the logs, it makes them harder to read, thanks :thumbsup:

Let's see what we can do here...

===================================

Now please Download LSPFix from:
LSP-Fix
Disconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" box. Place all listings of cdnns.dll into the remove section by highlighting cdnns.dll and clicking on the button that points to the right. When all instances of this dll are in the Remove section press the Finish button.
Then Reboot.
To see a tutorial on how to use this program click the link below:
Using LSP-Fix to remove LSP Spyware & Hijackers

===================================

Please download the Killbox by Option^Explicit.
  • Save it to your desktop.
  • DO NOT RUN IT YET!
I want you to fix some of those entries. Please do the following:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O11 - Options group: [CDNCLIENT] Chinese Navigation

Reboot your computer into Safe Mode

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
TVAnts 1.0
TVUPlayer 2.2.0
Pacific Poker
PPLive 1.0.9.4

NOW, Please open Killbox.exe
When it is open, copy C:\Program Files\CNNIC into the field labeled "Full path of file to delete".
Select the Delete on reboot option.
Then press the button that looks like a red circle with a white X in it.
Your computer will reboot and check to see if the file is gone.
If your computer does not restart automatically, please restart it manually.

========================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name, there should be four of them.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
==========================================

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
============================================

So, in the next reply:
1)Fresh HijackThis log
2)F-Secure Log

logreeval

Edited by logreeval, 26 November 2006 - 10:51 AM.

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#7 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 26 November 2006 - 01:58 PM

Phew! All done and logs are below. I had a couple of problems, the hijack this log still shows some of the items you asked me to delete, I tried several times and closed down everything but they're still there.
The F-secure scan seemed to hang while cleaning and sending report to F-secure, I left it for about 30 mins and the progress bar didn't move (cleaning item 2) and I had no CPU usage. I closed it down and ran it again and this time it only found 1 item (I think it found 5 on the first scan) on the second attempt I unticked the box 'send report to Fsecure' and it cleaned immediately.



Logfile of HijackThis v1.99.1
Scan saved at 18:45:31, on 26/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TRUST\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.betfair.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Betfair Bar - {1D62BD48-16F6-4004-A54A-3C41E4955A87} - C:\Program Files\Betfair\BFTool_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\wshbth.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport.com/casino/totesportlauncher.cab
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.com/toolbar/setup.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




Scanning Report
Sunday, November 26, 2006 18:03:49 - 18:43:16
Computer name: AJ3
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 1 malware found
W32/Casino.BN (virus)
C:\WINDOWS\TOTESPORT CASINO SETUP.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 25264
System: 4634
Not scanned: 5
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{93EFBE1A-927D-4DB3-A739-53875796B5F2}.BIN
C:\DOCUMENTS AND SETTINGS\ALAN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAM
C:\DOCUMENTS AND SETTINGS\ALAN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\HP

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2006-11-24
F-Secure AVP: 7.0.171, 2006-11-24
F-Secure Orion: 1.2.37, 2006-11-24
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 2006-11-14
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Cheers,

spangles

#8 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 27 November 2006 - 01:05 AM

Good Job Spangles!

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next reply:
1)Fresh HijackThis Log
2)Combofix Log

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#9 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 27 November 2006 - 07:03 AM

Can't get any joy with this logreeval,
I ran it and got the small blue dos box, entered y and return, it started scanning and said it may take up to 10 mins, after a few seconds some filenames scrolled down the screen in the blue box then the box dissapeared leaving me on the desktop with no icons. I could hear the processor chugging away for about 20 seconds then all quiet. I left it for 15 mins but nothing else happened so I rebooted. I was very careful not to even move the mouse let alone click it!
I tried this 3 times with the same result, each time leaving it for over 15 mins.
I also notice on rebooting that when it gets to the desktop there appears on the screen a sort of outline of the bottom of a box in the middle of the screen several times just for a second or two, a bit like something is loading but not showing on my screen - this was also prior to loading combofix - but didn't used to happen.
I've put a hijack this log below in case anything has changed!
Regards,

spangles


Logfile of HijackThis v1.99.1
Scan saved at 11:43, on 06-11-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\TRUST\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.betfair.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Betfair Bar - {1D62BD48-16F6-4004-A54A-3C41E4955A87} - C:\Program Files\Betfair\BFTool_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\wshbth.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport.com/casino/totesportlauncher.cab
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.com/toolbar/setup.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#10 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 29 November 2006 - 12:56 AM

Hey spangles

Let's try something different...

================================

Please Download LSPFix from:

LSP-Fix

Run the program and check immediately press the finish button.

Then Reboot.

To see a tutorial on how to use this program click the link below:

Using LSP-Fix to remove LSP Spyware & Hijackers

================================

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close ALL other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O11 - Options group: [CDNCLIENT] Chinese Navigation


When done, exit HijackThis.

===============================

Please download and Save blacklight to your C:\ Important!!.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)


===============================

What I need:
1)Blacklight log
2)Fresh HijackThis log

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#11 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 29 November 2006 - 04:34 AM

Hi logreeval,
OK, done and logs below.
I didn't fully understand your first instruction 'Run the program and check immediately press the finish button' but I ran LSP fix and clicked finish, it removed 1 item which was something to do with bluetooth naming.
The link for blacklight didn't work but I found it on the F-secure site and ran it as instructed, it didn't find any hidden files and didn't give the option to clean, the txt file is below.
The Hijack this items are still there despite trying to fix, I get a message each time I run fix saying something like it's trying to remove BHO items ensure all other windows are closed - all my windows are closed!

Regards,

spangles.






11/29/06 09:14:08 [Info]: BlackLight Engine 1.0.47 initialized
11/29/06 09:14:08 [Info]: OS: 5.1 build 2600 (Service Pack 1)
11/29/06 09:14:08 [Note]: 7019 4
11/29/06 09:14:08 [Note]: 7005 0
11/29/06 09:14:33 [Note]: 7006 0
11/29/06 09:14:33 [Note]: 7011 2044
11/29/06 09:14:33 [Note]: 7026 0
11/29/06 09:14:33 [Note]: 7026 0
11/29/06 09:14:40 [Note]: FSRAW library version 1.7.1020
11/29/06 09:18:58 [Note]: 2000 1012
11/29/06 09:22:21 [Note]: 7007 0


Logfile of HijackThis v1.99.1
Scan saved at 09:23:43, on 29/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TRUST\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Betfair Bar - {1D62BD48-16F6-4004-A54A-3C41E4955A87} - C:\Program Files\Betfair\BFTool_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport.com/casino/totesportlauncher.cab
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.com/toolbar/setup.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#12 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 30 November 2006 - 03:58 PM

Hello again spangles...

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.
  • Right click on gmer.exe and select rename, rename it to test.exe
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.
===================

1. Download this file - http://download.bleepingcomputer.com/sUBs/...aB/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===================


Next reply:

1)Gmer Log
2)Combofix Log
3)Fresh HijackThis log

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#13 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 01 December 2006 - 06:31 AM

Hi logreeval,

I ran the GMER program and copied the result to wordpad ready to paste here but then I ran combofix which, when it had finished scanning, rebooted my PC. So I lost the GMER log as wordpad was shut down!
I have copied the combofix log here and I have run GMER again but it has produced a much shorter log than it did the first time, i've pasted it below together with a new hijack this log.

Regards,

spangles


Combofix log:



Alan - 06-12-01 10:41:08.73 Service Pack 1
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Alan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\drivers\cdntran.sys
C:\WINDOWS\~tmp1418.exe
C:\WINDOWS\~tmp1573.exe
C:\WINDOWS\~tmp9392.exe
C:\WINDOWS\system32\cdnprot.dat
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\WINDOWS\system32\drivers\cdnprot.sys


((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))


2006-11-29 09:13 826,936 --a------ C:\blbeta.exe
2006-11-26 16:57 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-26 16:41 <DIR> d-------- C:\!KillBox
2006-11-25 22:55 <DIR> d-------- C:\WINDOWS\CSC
2006-11-25 22:43 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-25 13:44 <DIR> d-------- C:\Program Files\a-squared Free
2006-11-24 14:37 <DIR> d-------- C:\Program Files\HijackThis
2006-11-24 12:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-24 10:35 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-24 10:35 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-23 21:49 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\vlc
2006-11-23 20:20 134,144 --a------ C:\WINDOWS\reg123.exe
2006-11-23 20:17 237,329 --a------ C:\Program Files\107up.exe
2006-11-23 20:01 <DIR> d-------- C:\Program Files\TVAnts
2006-11-08 22:18 170,752 --a------ C:\WINDOWS\system32\drivers\jcdaadei.sys
2006-11-05 23:44 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2006-11-05 23:44 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-11-05 23:44 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2006-11-05 23:44 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2006-11-05 23:44 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2006-11-05 23:44 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2006-11-05 23:44 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2006-11-05 23:44 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2006-11-05 23:44 68,096 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2006-11-05 23:44 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2006-11-05 23:44 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2006-11-05 23:44 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll
2006-11-05 23:44 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2006-11-05 23:44 57,856 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-11-05 23:44 53,248 --a------ C:\WINDOWS\system32\devenum.dll
2006-11-05 23:44 524,800 --a------ C:\WINDOWS\system32\qedit.dll
2006-11-05 23:44 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2006-11-05 23:44 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-11-05 23:44 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2006-11-05 23:44 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-11-05 23:44 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-05 23:44 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2006-11-05 23:44 382,976 --a------ C:\WINDOWS\system32\qdvd.dll
2006-11-05 23:44 377,856 --a------ C:\WINDOWS\system32\dpnet.dll
2006-11-05 23:44 363,520 --a------ C:\WINDOWS\system32\dsound.dll
2006-11-05 23:44 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2006-11-05 23:44 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2006-11-05 23:44 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2006-11-05 23:44 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2006-11-05 23:44 3,072 --a------ C:\WINDOWS\system32\dpnlobby.dll
2006-11-05 23:44 3,072 --a------ C:\WINDOWS\system32\dpnaddr.dll
2006-11-05 23:44 28,160 --a------ C:\WINDOWS\system32\dplaysvr.exe
2006-11-05 23:44 276,480 --a------ C:\WINDOWS\system32\qdv.dll
2006-11-05 23:44 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2006-11-05 23:44 265,728 --a------ C:\WINDOWS\system32\ddraw.dll
2006-11-05 23:44 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2006-11-05 23:44 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2006-11-05 23:44 22,016 --a------ C:\WINDOWS\system32\dpmodemx.dll
2006-11-05 23:44 203,264 --a------ C:\WINDOWS\system32\dpvoice.dll
2006-11-05 23:44 194,560 --a------ C:\WINDOWS\system32\mswebdvd.dll
2006-11-05 23:44 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2006-11-05 23:44 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2006-11-05 23:44 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-11-05 23:44 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2006-11-05 23:44 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2006-11-05 23:44 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2006-11-05 23:44 177,152 --a------ C:\WINDOWS\system32\qcap.dll
2006-11-05 23:44 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2006-11-05 23:44 16,896 --a------ C:\WINDOWS\system32\dpnsvr.exe
2006-11-05 23:44 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2006-11-05 23:44 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2006-11-05 23:44 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2006-11-05 23:44 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-11-05 23:44 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2006-11-05 23:44 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2006-11-05 23:44 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2006-11-05 23:44 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
2006-11-05 23:44 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2006-11-05 23:44 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2006-11-05 23:44 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2006-11-05 23:44 1,689,600 --a------ C:\WINDOWS\system32\d3d9.dll
2006-11-05 23:44 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2006-11-05 23:44 1,246,208 --a------ C:\WINDOWS\system32\quartz.dll
2006-11-05 23:44 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2006-11-05 23:44 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2006-11-05 23:44 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
2006-11-05 23:43 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2006-11-05 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-05 23:41 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Betfair


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-29 08:32 -------- d-------- C:\Program Files\Common Files
2006-11-26 16:58 -------- d-------- C:\Program Files\Java
2006-11-26 16:39 -------- d-------- C:\Program Files\PacificPoker
2006-11-24 12:40 -------- d-------- C:\Program Files\Grisoft
2006-11-24 10:39 -------- d-------- C:\Documents and Settings\Alan\Application Data\AVG7
2006-11-24 10:35 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-24 10:35 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-24 10:35 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-06 00:10 -------- d-------- C:\Program Files\CoralPoker
2006-11-06 00:05 -------- d-------- C:\Program Files\Victor Chandler Poker
2006-11-05 23:41 -------- d-------- C:\Program Files\Betfair
2006-10-30 16:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-30 16:17 -------- d-------- C:\Program Files\eBay
2006-10-11 12:50 -------- d-------- C:\Program Files\Sage Payroll
2006-09-11 18:26 17653 --a------ C:\WINDOWS\system32\apigrab.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Awasu]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Net-It Launcher"="C:\\WINDOWS\\System32\\NILaunch.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-01 10:52:51.21
C:\ComboFix.txt ... 06-12-01 10:52
C:\ComboFix2.txt ... 06-11-27 11:32
C:\ComboFix3.txt ... 06-11-27 11:21



GMER log:


GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-01 11:13:23
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- EOF - GMER 1.0.12 ----


Hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 11:15:00, on 01/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\TRUST\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Alan\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Betfair Bar - {1D62BD48-16F6-4004-A54A-3C41E4955A87} - C:\Program Files\Betfair\BFTool_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport.com/casino/totesportlauncher.cab
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.com/toolbar/setup.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Thanks

#14 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:01:23 AM

Posted 02 December 2006 - 09:22 PM

You are clean! Congratulations

If you have any more problems, let me know.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#15 spangles

spangles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 03 December 2006 - 04:26 PM

Many thanks logreeval,

I didn't even look at the hijack this and see the offensive items had gone.
I've noted the items on your list and will be more careful in future!

Thanks for your help and patience - much appreciated.


spangles.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users