Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack: Chinese Websites Are Popping Up Again And Again


  • This topic is locked This topic is locked
6 replies to this topic

#1 Cena

Cena

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 11 February 2007 - 11:01 PM

I need help.

I am suffering from Hijack more than 4 days.
I tired to get rid of the virus by superantispyware, AVG anti-virus, Spybot SD, and Adaware presional.
Every time I scanned my computer, these sofwares found several viruses and successfully deleted them.
But, Hijack never stops.

When I turn on my computer, IE starts automatically without hitting any keys and several chinese websites (fangb.com.cn, bibipu.com, kzdh.com, 7322.com etc) popping up again and again.

The Hijack log is as follows.

-------------------------------------------------------------
"Owner" - 07-02-11 16:52:43 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Owner\デスクトップ"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\\WINDOWS\system32\drivers\ytink.sys)
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\drivers\msqmx.sys
C:\WINDOWS\system32\SVKP.sys
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\g3.exe
C:\WINDOWS\bar.exe


((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 16:09 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-02-11 10:11 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\SUPERAntiSpyware.com
2007-02-11 03:04 <DIR> d-------- C:\WINDOWS\WBEM
2007-02-11 03:04 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-02-11 02:51 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-02-11 02:46 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-02-11 00:47 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-10 23:00 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Lavasoft
2007-02-10 22:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-02-10 22:47 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\AVG7
2007-02-10 22:46 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-10 22:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-02-10 20:10 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-02-10 20:04 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2007-02-10 10:17 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-02-10 10:17 <DIR> d-------- C:\44ce1ffbb4c9b8eb2be3b83739
2007-02-09 23:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-09 23:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-09 22:52 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-02-09 01:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-02-09 00:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\スタート メニュー
2007-02-09 00:46 <DIR> d-------- C:\WINDOWS\Prefetch
2007-02-08 23:15 <DIR> d-------- C:\WINDOWS\provisioning
2007-02-08 23:15 <DIR> d-------- C:\WINDOWS\peernet
2007-02-07 21:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-22 20:34 <DIR> d-------- C:\.file_store_32
2007-01-22 20:28 <DIR> d---s---- C:\DOCUME~1\HAYATO\UserData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 16:34 -------- d-------- C:\Program Files\mozilla firefox
2007-02-11 10:09 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-10 20:22 -------- d-------- C:\Program Files\yahoo!
2007-02-10 20:10 629264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-02-10 20:10 108592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-02-10 20:09 74864 --a------ C:\WINDOWS\system32\vetredir.dll
2007-02-10 20:09 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-02-10 20:09 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-02-10 20:09 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-02-10 20:09 115824 --a------ C:\WINDOWS\unvet32.exe
2007-02-10 20:09 111728 --a------ C:\WINDOWS\avshlext.dll
2007-02-10 16:27 40862 --a------ C:\WINDOWS\system32\perfc011.dat
2007-02-10 16:27 152782 --a------ C:\WINDOWS\system32\perfh011.dat
2007-02-10 10:33 -------- d-------- C:\Program Files\messenger
2007-02-10 08:24 -------- d-------- C:\DOCUME~1\Owner\Application Data\microsoft
2007-02-08 23:15 -------- d-------- C:\Program Files\movie maker
2007-02-08 22:59 -------- d-------- C:\Program Files\windows nt
2007-02-08 00:02 44848 --a------ C:\DOCUME~1\Owner\Application Data\gdipfontcachev1.dat
2007-02-03 10:40 -------- d-------- C:\Program Files\real
2007-01-17 22:39 -------- d-------- C:\DOCUME~1\Owner\Application Data\canon
2007-01-12 00:26 -------- d-------- C:\Program Files\viewpoint
2006-12-13 02:18 -------- d-------- C:\Program Files\ipod
2006-12-13 01:12 -------- d-------- C:\Program Files\fgw9
2006-12-13 00:46 -------- d-------- C:\DOCUME~1\Owner\Application Data\apple computer
2006-12-13 00:45 -------- d-------- C:\Program Files\itunes
2006-12-13 00:42 -------- d-------- C:\Program Files\quicktime
2006-12-06 22:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"LTSMMSG"="LTSMMSG.exe"
"IndicatorUtility"="C:\\Program Files\\Fujitsu\\IndicatorUtility\\IndicatorUty.exe"
"LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Fujitsu Quick Touch\\QuickTouch.exe"
"LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"imjpmig"="C:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMJP\\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"adx.exe"="C:\\Program Files\\real\\adx.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}"=""
"{5D06580A-08EB-4DD0-8425-DDBB5198B30C}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ c:\fjuty\wallbtn\elook.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source REG_SZ c:\fjuty\wallbtn\fsa_menu.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source REG_SZ C:\WINDOWS\Web\index.html

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Tech



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 17:11:58

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 February 2007 - 05:27 AM

Welcome to Bleeping Computer Cena :thumbsup:

Reboot you pc and post a Hijackthis log in your next reply please.
Posted Image
Posted Image

#3 Cena

Cena
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 February 2007 - 03:51 AM

Here is the Log.
I am still suffering from Hijacking.

---------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:44, on 07-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\real\adx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Documents and Settings\Owner\デスクトップ\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOHelper Class - {67A90DD6-128D-43AB-B97C-565D2DD42A28} - C:\Program Files\real\atloader.dll (file missing)
O3 - Toolbar: MSN ?c?[???o?[ - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\ja\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [adx.exe] C:\Program Files\real\adx.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Java ?R??\?[?? (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.adelphiapowerpage.com
O15 - Trusted Zone: http://80-www.ncbi.nlm.nih.gov.mlprox.csmc.edu
O15 - Trusted Zone: http://www.csmc.edu
O15 - Trusted Zone: http://www.invitrogen.com
O15 - Trusted Zone: http://www.microsoft.com
O15 - Trusted Zone: http://www.msn.co.jp
O15 - Trusted Zone: http://www.ncbi.nlm.nih.gov
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://www.yahoo.co.jp
O15 - Trusted Zone: http://www.yahoo.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {28874E39-4337-406C-B263-1ADFE2D2CF5F} (Yahoo!?t?H?g ?A?b?v???[?h?c?[?? Class) - http://photos.yahoo.co.jp/ocx/jp/yexplorer1_9jp.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs.chat.yahoo.co.jp/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/213ed927be0e970d6b06/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098332420376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170924605432
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {B947ABE6-0D16-48D6-819A-9BE79C4A16AA} - http://stick.goo.ne.jp/ver4.0/download/goostk.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_6us.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.co.jp/cab/yvwrctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Install Helper (Mercha2) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCKarte Client Tool Service (PCKarte) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
O23 - Service: PowerUtility Schedule (PUSCSRVC) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
O23 - Service: SBRLLA For FM Advisor (SBRLLA) - FUJITSU LIMITED - C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 February 2007 - 04:21 AM

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Then reboot.

*************************

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf 'Install'.
(No need to restart your pc).
It may appear nothing happened during this process,that's normal.

*************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

****************************

Please download/install AVG Anti-Spyware 7.5.
Welcome Trailrider
Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: BHOHelper Class - {67A90DD6-128D-43AB-B97C-565D2DD42A28} - C:\Program Files\real\atloader.dll (file missing)
O4 - HKLM\..\Run: [adx.exe] C:\Program Files\real\adx.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/213ed927be0e970d6b06/...ip/RdxIE601.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\

Exit Hijackthis.

Find and delete if present:
C:\Program Files\real

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Antispyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 Cena

Cena
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 February 2007 - 04:35 PM

Now, IE is working well. No popping up of Chinese websites.
Thank you for your help. I really appreciate your great job.

AVG Antispyware report and a new Hijackthis log are as follows.

--------------------------------------------------------
AVG antispyware report
---------------------------------------------------------

+ Created at: 13:00 07-02-13

+ Scan result:



C:\System Volume Information\_restore{C7E0B949-63D8-4A49-9270-1D3703FE3491}\RP7\A0004739.dll -> Adware.Agent : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp\bar\BDBar_tmp\BaiduBar.dll -> Adware.BaiduBar : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp\bar\BaiduBar.dll -> Adware.BaiduBar : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\Update\client.dll -> Adware.BDSearch : Cleaned.
C:\System Volume Information\_restore{C7E0B949-63D8-4A49-9270-1D3703FE3491}\RP7\A0004732.exe -> Adware.Boran : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\cdnaux.dll -> Adware.Cdn : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\cdnforie.dll -> Adware.Cdn : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\cdnunins.exe -> Adware.Cdn : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\cdnup.exe -> Adware.CDN : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\Update\cdndet.dll -> Adware.Cdnup : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\Update\cdnrenew.exe -> Adware.Cdnup : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp\Cdn\Update\idnconv.dll -> Adware.Cdnup : Cleaned.
C:\WINDOWS\system32\drivers\ytink.sys -> Downloader.Agent.bbb : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NSUBUW59\stat[1].htm -> Downloader.AQM : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OLK5A7G1\stat[1].htm -> Downloader.AQM : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5WN07WR\stat[1].htm -> Downloader.AQM : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WD0J0V03\stat[1].htm -> Downloader.AQM : Cleaned.
C:\System Volume Information\_restore{C7E0B949-63D8-4A49-9270-1D3703FE3491}\RP1\A0000211.dll -> Downloader.QQHelper.ma : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp\Uninst.exe -> Dropper.BHO.av : Cleaned.
C:\Program Files\ODN Signup Software\JDSL\jdsl.exe -> Heuristic.Win32.Dialer : Cleaned.
C:\System Volume Information\_restore{C7E0B949-63D8-4A49-9270-1D3703FE3491}\RP1\A0000209.sys -> Hijacker.StartPage.amd : Cleaned.
C:\WINDOWS\system32\drivers\msqmx.sys -> Hijacker.StartPage.amd : Cleaned.
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.8:C:\Documents and Settings\HAYATO\Application Data\Mozilla\Firefox\Profiles\zailj3fn.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.14:C:\Documents and Settings\HAYATO\Application Data\Mozilla\Firefox\Profiles\zailj3fn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.15:C:\Documents and Settings\HAYATO\Application Data\Mozilla\Firefox\Profiles\zailj3fn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.16:C:\Documents and Settings\HAYATO\Application Data\Mozilla\Firefox\Profiles\zailj3fn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.17:C:\Documents and Settings\HAYATO\Application Data\Mozilla\Firefox\Profiles\zailj3fn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.18:C:\Documents and Settings\HAYATO\Application Data\Mozilla\Firefox\Profiles\zailj3fn.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2orx0vnt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end
-----------------------------------------------

---------------------------------------------------------
new Hijackthis log
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 13:24, on 07-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\Documents and Settings\Owner\デスクトップ\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN ?c?[???o?[ - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\ja\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Java ?R??\?[?? (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {28874E39-4337-406C-B263-1ADFE2D2CF5F} (Yahoo!?t?H?g ?A?b?v???[?h?c?[?? Class) - http://photos.yahoo.co.jp/ocx/jp/yexplorer1_9jp.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs.chat.yahoo.co.jp/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098332420376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170924605432
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {B947ABE6-0D16-48D6-819A-9BE79C4A16AA} - http://stick.goo.ne.jp/ver4.0/download/goostk.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_6us.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.co.jp/cab/yvwrctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Install Helper (Mercha2) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCKarte Client Tool Service (PCKarte) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PCKARTE\PCKTESVC.EXE
O23 - Service: PowerUtility Schedule (PUSCSRVC) - FUJITSU LIMITED - C:\Program Files\Fujitsu\PowerUtility\schedule\PUSCSRVC.exe
O23 - Service: PowerUtility Remote Power Management Service (putlrsrv) - FUJITSU LIMITED - C:\PROGRA~1\Fujitsu\POWERU~1\remote\PUTLRSRV.exe
O23 - Service: SBRLLA For FM Advisor (SBRLLA) - FUJITSU LIMITED - C:\Program Files\Fujitsu\sa\api\SBRSVC.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--------------------------------------------------------------------------------

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 February 2007 - 05:03 PM

Your log is clean Cena :thumbsup:
If all's ok,please do the following:

Please reverse these settings back to default:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Turn off System Restore,then turn it back on again:
Help if needed:
http://www.pchell.com/virus/systemrestore.shtml

Create a new System Restore Point:
Help if needed:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the System Restore window,click "Create a Restore Point" button,then click 'Next'.
In the window that appears,enter a description,then click on "Create", then "Close".
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Posted Image
Posted Image

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 21 February 2007 - 07:20 AM

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users