Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suffered From Serious Spyware And Need Help Please


  • Please log in to reply
45 replies to this topic

#1 simon_sum

simon_sum

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 25 February 2007 - 04:07 AM

Hi! My computer has a very serious problem caused by different spyware and unknown things. I have tried all the antivirus and have paid for anti-spyware, but still not working very well. The biggest problems now are 1) freeze menu/start bar, and 2) sudden pop up of IE of different chinese website even I have not opened any IE window. My hijack is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 17:04:43, on 25/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\program files\internet explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system\WINSP00L.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\wbem\lsass.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\caissdt.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\VundoFix.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: 1b3d - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4b48ntos.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: tsve - {54BB7AEA-2131-4EFE-B54F-19278DB9E57A} - C:\PROGRA~1\COMMON~1\sybn\dcfr.dll
O2 - BHO: HelpIE Class - {5EF1DFF3-AF25-4000-A6ED-41668F83B82B} - C:\WINDOWS\system\C0MMDLG.DLL
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 1b3d - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4b48ntos.dll
O2 - BHO: IEHelp Class - {ED863792-FADB-4D21-8B20-409DA940B7A2} - C:\WINDOWS\system\PDFAid.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: 1b3d - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4b48ntos.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [dfsf] RUNDLL32.EXE C:\WINDOWS\system\Mvvp.dll,DImmcv
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [sdafdsafds] D;]XJOEPXT]ufnq]273/fyf
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [1MJPM1G9.l] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system\MSVIDE0.dll,Run
O4 - HKCU\..\Run: [UUpdate] C:\Program Files\UUSee\UUpdate.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Cardbus.lnk = C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/SKey/...ab/EWinSKey.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136266324798
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,25
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: wzcdgwfs.dll
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
O20 - Winlogon Notify: mqtrupnp - C:\WINDOWS\system32\mqtrupnp.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSec.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: 5936F02C - Unknown owner - C:\WINDOWS\system32\5936F02C.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W0RKSTATI0N (LANMANW0RKSTATI0N) - Unknown owner - C:\WINDOWS\system\WINSP00L.EXE
O23 - Service: MICR0SOFT SVCH0ST (MS_SVCH0ST) - Unknown owner - C:\WINDOWS\system\SVCH0ST.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe




I noticed that the 1b3d is of big problem since I have an unremoval toolbar in my IE. Please please help! thanks!

and the savelist from Hijackthis

5676ef2e
802.11b Wireless LAN PC Card
ACD PhotoStitcher
ACDSee 3.1 (SR-1)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0
Adobe Reader Chinese Simplified Fonts
Adobe Reader Chinese Traditional Fonts
Ahead Nero - Burning Rom
AVG Anti-Spyware 7.5
CA Anti-Virus
CleanUp!
Easy Video Capture 1.0
EasyCleaner
Gentad
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ICQ 5.1
Intel® PRO Ethernet Adapter and Software
InterVideo WinDVD
ISI ResearchSoft - Export Helper
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_01
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Logitech QuickCam
Macromedia Dreamweaver 4
Macromedia Extension Manager
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
MouseWare 9.42
Mozilla Firefox (1.5.0.10)
MS HKSCS-2001 Support
MSN
MSN Toolbar
My Way Speedbar (Outlook and Outlook Express)
Network Device Switch
Network Play System (Patching)
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
ParetoLogic Anti-Spyware
QuickTime
RealPlayer
Recover My Photos
Reference Manager 9
RegCure 1.0.0.43
RegistryFix v5.5
Rhapsody Player Engine
RIS Web Helper
Secure Game Player
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Shockwave
Snowy Scenes Screen Saver
SPSS 11.0 for Windows
Spybot - Search & Destroy 1.4
System Spyware Interrogator
TOSHIBA Console
Toshiba Hotkey Utility for Display Devices
TOSHIBA Mobile Extension3 for Windows XP V3.21.00.XP
TOSHIBA Power Saver
TOSHIBA Software Modem
TOSHIBA Utilities
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Verizon Online
Verizon Online Support Center
Vsn wvvh UnInstall
Weather Services
webwork
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
XoftSpySE
XviD MPEG-4 Video Codec
Yahoo! Messenger
YAMAHA AC-XG WDM
搜索?

thanks so much

Simon

Edited by simon_sum, 25 February 2007 - 04:19 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 25 February 2007 - 06:05 AM

Yikes! This really is a very nasty log, you are absolutely riddled with infections.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you are infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_01
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
My Way Speedbar (Outlook and Outlook Express)
Vsn wvvh UnInstall
webwork

Also please uninstall the following if you do not know what they are, or didn't install them yourself.
I'm pretty sure that all three of them are unwanted entries, so unless you use them, uninstall them.

5676ef2e
Gentad
Secure Game Player


Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: 1b3d - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4b48ntos.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: tsve - {54BB7AEA-2131-4EFE-B54F-19278DB9E57A} - C:\PROGRA~1\COMMON~1\sybn\dcfr.dll
O2 - BHO: HelpIE Class - {5EF1DFF3-AF25-4000-A6ED-41668F83B82B} - C:\WINDOWS\system\C0MMDLG.DLL
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: 1b3d - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4b48ntos.dll
O2 - BHO: IEHelp Class - {ED863792-FADB-4D21-8B20-409DA940B7A2} - C:\WINDOWS\system\PDFAid.dll
O3 - Toolbar: 1b3d - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4b48ntos.dll
O4 - HKLM\..\Run: [dfsf] RUNDLL32.EXE C:\WINDOWS\system\Mvvp.dll,DImmcv
O4 - HKLM\..\Run: [sdafdsafds] D;]XJOEPXT]ufnq]273/fyf
O4 - HKCU\..\Run: [1MJPM1G9.l] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system\MSVIDE0.dll,Run
O4 - HKCU\..\Run: [UUpdate] C:\Program Files\UUSee\UUpdate.exe
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/SKey/...ab/EWinSKey.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - AppInit_DLLs: wzcdgwfs.dll
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
O20 - Winlogon Notify: mqtrupnp - C:\WINDOWS\system32\mqtrupnp.dll (file missing)
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSec.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: 5936F02C - Unknown owner - C:\WINDOWS\system32\5936F02C.EXE (file missing)
O23 - Service: W0RKSTATI0N (LANMANW0RKSTATI0N) - Unknown owner - C:\WINDOWS\system\WINSP00L.EXE
O23 - Service: MICR0SOFT SVCH0ST (MS_SVCH0ST) - Unknown owner - C:\WINDOWS\system\SVCH0ST.EXE (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\PvSec.dll
C:\WINDOWS\system32\wzcdgwfs.dll
C:\WINDOWS\system32\4b48ntos.dll
C:\WINDOWS\system32\winsys16_070212.dll
C:\WINDOWS\system\C0MMDLG.DLL
C:\WINDOWS\system32\4023cfsb.dll
C:\WINDOWS\system\PDFAid.dll
C:\WINDOWS\system\Mvvp.dll
C:\WINDOWS\system\MSVIDE0.dll
C:\Program Files\UUSee\UUpdate.exe
C:\Program Files\Common Files\sybn\dcfr.dll
C:\WINDOWS\SYSTEM32\cryptimg.dll
C:\WINDOWS\system32\mqtrupnp.dll
C:\WINDOWS\webwork\webwork.dll
C:\WINDOWS\system32\5936F02C.EXE
C:\WINDOWS\system\WINSP00L.EXE
C:\WINDOWS\system\SVCH0ST.EXE


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please find and delete the following folders:

C:\WINDOWS\webwork
C:\Program Files\Common Files\sybn
C:\Program Files\UUSee

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back to normal mode now.

Open notepad and copy and paste the following text in the quote box into the window:

sc stop LANMANW0RKSTATI0N
sc stop MS_SVCH0ST
sc stop 5936F02C
sc delete LANMANW0RKSTATI0N
sc delete MS_SVCH0ST
sc delete 5936F02C

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Now run Hijackthis again and post its log.
We'll go from there, but I have no doubt you have loads of infected files left on the PC.

#3 simon_sum

simon_sum
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 27 February 2007 - 03:12 AM

Hi! D-Trojanator,

Thanks very much for your reply and your help. I have tried my very best to follow each step and I have some problems in doint that and Iwill list them one by one.

1) in add/remove program, I cannot remove the My Way Speedbar and it says "Error loading, the specific module could not be found"

2) For Vsn Unistall and webwork, it comes up some moster character and ask me to input something from the box to verfiy the uninstallment, since it did not form any readable word, I cannot type the things in correctly and thus cannot remove those annoying things.

3) I cannot find the file 5676ef2e

4) Gentad has the same moster character and I belive those things are actually related to chinese but not the real chinese words

5)when I use killbox, I copy and paste the clipboard to killbox, but only 11 files were copied.

6) and Yes for the killbox about the pendingfilerename operations registry data has been removed by external process

7) After all the process and reboot the computer, there are some problems: (pop up boxes)
i) Error loading c:\WINDOWS\system32\elrpzn48.dll
ii) Error loading c:\WINDOWS\system32\wbeh_d.dll
iii) Error loading c:\WINDOWS\system32\cn_cmt.dll

8) THe start/menu bar is freeze, so there is nothing when I click the start button or the menu bar

9) Internet explore comes up by itself and load pages


The following is the logfile from Hijack

Logfile of HijackThis v1.99.1
Scan saved at 15:57:24, on 27/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system\WINSP00L.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\ffudf.exe
C:\WINDOWS\system32\73A20428.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\windows\system32\wbem\lsass.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\caissdt.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\conime.exe
C:\HijackThis\hijackthis\HijackThis.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe

R3 - URLSearchHook: e4f0 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4dc0ntos.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0efe0990-30ef-49a9-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {533e2477-930b-4c04-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {ad23e382-d375-460a-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: e4f0 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4dc0ntos.dll
O2 - BHO: (no name) - {f4c488d3-c273-43e7-8b0d-4e03f37a8dbf} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: e4f0 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4dc0ntos.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [sdafdsafds] D;]XJOEPXT]ufnq]273/fyf
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Cardbus.lnk = C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136266324798
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,25
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: wzcdgwfs.dll
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSec.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W0RKSTATI0N (LANMANW0RKSTATI0N) - Unknown owner - C:\WINDOWS\system\WINSP00L.EXE
O23 - Service: MICR0SOFT SVCH0ST (MS_SVCH0ST) - Unknown owner - C:\WINDOWS\system\SVCH0ST.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

Thanks so much, I am sure you are the doctor to cure my poor computer! thanks so much and hope to hear from you very soon again. I notice that the 1b3d thing has changed its name to e4f0, so annoying. Thanks

Simon

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 27 February 2007 - 11:52 AM

Ok, let's start off again, by running a general scanner on this PC.

Please download, install, and update AVG antispyware
Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful"), close AVG.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Open AVG again and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button.
AVG antispyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG antispyware and reboot!!
Please post the log in your next reply.

#5 simon_sum

simon_sum
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 28 February 2007 - 09:45 PM

Hi D-Trojanator,

Thanks for your message again and I have followed your procedures. And the report is as follows. BTW, could you tell me if I can fix the problem of my freezing menu/start bar in Windows? It is very inconvenient that this bar is not working. THanks! and hope to hear from you soon! many thanks

Simon


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:31:20 1/3/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\nCASE -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wbem\~tmp00001.exe -> Adware.AdHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\~tmp00001.exe -> Adware.AdHelper : Cleaned with backup (quarantined).
C:\!KillBox\4b48ntos.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\!KillBox\4b48ntos.dll( 10) -> Adware.Agent : Cleaned with backup (quarantined).
C:\!KillBox\MSVIDE0.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\!KillBox\MSVIDE0.dll( 5) -> Adware.Agent : Cleaned with backup (quarantined).
C:\!KillBox\webwork.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\!KillBox\webwork.dll( 2) -> Adware.Agent : Cleaned with backup (quarantined).
C:\HijackThis\hijackthis\backups\backup-20070227-145702-467.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\HijackThis\hijackthis\backups\backup-20070227-161143-452.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347969.sys -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348720.sys -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348744.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\MS37.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\cml11.tmp -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\410ecfsb.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\43e7cfsb.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\49a9cfsb.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\4b48ntos.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\4c0dntos.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\4dc0ntos.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ast.sys -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system\MSVIDE0.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\IEHelper.dll_tobedeleted_old -> Adware.BHO : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\AIS_1161_0.EXE -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\feht\srud.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\feht\xwsl.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\vision\vision.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\vision\visver.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\!KillBox\dcfr.dll -> Adware.Borlander : Cleaned with backup (quarantined).
C:\!KillBox\dcfr.dll( 4) -> Adware.Borlander : Cleaned with backup (quarantined).
C:\HijackThis\hijackthis\backups\backup-20070227-145702-292.dll -> Adware.Borlander : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348707.dll -> Adware.Borlander : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348731.dll -> Adware.Borlander : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348732.dll -> Adware.Borlander : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\parcls.sys -> Adware.Caifu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347738.DLL -> Adware.Funweb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347803.exe -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-2018322775-919082819-4212676017-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10000} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347968.sys -> Adware.Hooya : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348719.sys -> Adware.Hooya : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347747.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\restore.dll -> Adware.NewWeb : Cleaned with backup (quarantined).
C:\!KillBox\PDFAid.dll -> Adware.PDFAid : Cleaned with backup (quarantined).
C:\!KillBox\PDFAid.dll( 6) -> Adware.PDFAid : Cleaned with backup (quarantined).
C:\HijackThis\hijackthis\backups\backup-20070227-145702-211.dll -> Adware.PDFAid : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MS602b.exe -> Adware.PDFAid : Cleaned with backup (quarantined).
C:\WINDOWS\system\PDFAid.dll -> Adware.PDFAid : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000} -> Adware.RegiFast : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347641.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347783.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348729.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347819.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347961.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347989.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347993.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348777.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348778.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348816.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348817.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\73A20428.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ffudf.exe -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
C:\!KillBox\WINSP00L.EXE -> Backdoor.Agent.alc : Cleaned with backup (quarantined).
C:\!KillBox\WINSP00L.EXE( 1) -> Backdoor.Agent.alc : Cleaned with backup (quarantined).
C:\WINDOWS\Fonts\MS60.ttf -> Backdoor.Agent.alc : Cleaned with backup (quarantined).
C:\WINDOWS\system\WINSP00L.EXE -> Backdoor.Agent.alc : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Administrator.dat -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348711.sys -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348713.exe -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\SYSTEM.dat -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cacheur.exe -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dczet.dll -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ffpbek.sys -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mctet.d11 -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mctet.dll -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\byzhlgd.dll -> Downloader.Agent.bgg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\byzhlgd.sys -> Downloader.Agent.bgg : Cleaned with backup (quarantined).
C:\!KillBox\PvSec.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\!KillBox\PvSec.dll( 11) -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\PvSec.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winsys32_070212.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
[1032] C:\WINDOWS\system32\winsys32_070212.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\HijackThis\hijackthis\backups\backup-20070227-145706-672.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\HijackThis\hijackthis\backups\backup-20070227-145705-129.dll -> Not-A-Virus.Downloader.Win32.PopCap.c : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\cn_cmt.sys -> Rootkit.Small : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.109:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.145:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.146:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.147:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.148:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.155:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.123:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.124:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.143:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.144:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.149:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.150:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.151:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.152:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.153:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.122:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.84:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.85:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04d15yqa.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP953\A0347823.SYS -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347938.SYS -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP957\A0347994.SYS -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348739.dll -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B717F432-329B-4DEB-A5AD-6C26C973BE5F}\RP964\A0348775.SYS -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\00004cc0.SYS -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cryptig.dll -> Trojan.Agent.afb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cn_cmt.dll -> Trojan.Agent.ahz : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UFTG7AWM\hosts[1].ini -> Trojan.Qhost.jy : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UFTG7AWM\hosts[2].ini -> Trojan.Qhost.jy : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UFTG7AWM\hosts[3].ini -> Trojan.Qhost.jy : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VB7QJFI2\hosts[1].ini -> Trojan.Qhost.jy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winttrs -> Trojan.Qhost.jy : Cleaned with backup (quarantined).


::Report end

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 01 March 2007 - 11:33 AM

Hiya Simon,
I'm quite sure that the freezing is due to the horrible infections you have present on the computer itself.
I recommend we try and fix all the malware, hopefully the problem will be fixed.
I forgot to ask for a brand new Hijackthis log, so please post one when you can.

#7 simon_sum

simon_sum
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 01 March 2007 - 10:18 PM

Hi Trojanator,

Thanks! and the menu bar suddenly works today! very weird! anyway, just need to let you know also that my CA antivirus cannot update itself now and saying that there is a problem in internet connection, but of course there is no such a problem! thanks!

Simon

Logfile of HijackThis v1.99.1
Scan saved at 11:14:58, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\73A20428.exe
C:\WINDOWS\system32\ffudf.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
c:\windows\system32\wbem\lsass.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\caissdt.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HijackThis\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0efe0990-30ef-49a9-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {533e2477-930b-4c04-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {ad23e382-d375-460a-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {f4c488d3-c273-43e7-8b0d-4e03f37a8dbf} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [sdafdsafds] D;]XJOEPXT]ufnq]273/fyf
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Cardbus.lnk = C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136266324798
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,25
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: wzcdgwfs.dll
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSec.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W0RKSTATI0N (LANMANW0RKSTATI0N) - Unknown owner - C:\WINDOWS\system\WINSP00L.EXE (file missing)
O23 - Service: MICR0SOFT SVCH0ST (MS_SVCH0ST) - Unknown owner - C:\WINDOWS\system\SVCH0ST.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 02 March 2007 - 11:50 AM

Hello there simon_sum,

As I expected, by running a scanner, we have removed quite a lot of malware off the system; you should noticed some things working now, such as the taskbar not freezing. I want to have a go at a manual fix now, then we will some more scanners to pick up any leftovers.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please click on start > run > and copy and paste: sc delete LANMANW0RKSTATI0N
Hit enter and let the DOS windows open and close. This is normal.

Please do the same for this command: sc delete MS_SVCH0ST

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: (no name) - {0efe0990-30ef-49a9-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {533e2477-930b-4c04-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {ad23e382-d375-460a-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {f4c488d3-c273-43e7-8b0d-4e03f37a8dbf} - (no file)
O4 - HKLM\..\Run: [sdafdsafds] D;]XJOEPXT]ufnq]273/fyf
O20 - AppInit_DLLs: wzcdgwfs.dll
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSec.dll
O23 - Service: W0RKSTATI0N (LANMANW0RKSTATI0N) - Unknown owner - C:\WINDOWS\system\WINSP00L.EXE (file missing)
O23 - Service: MICR0SOFT SVCH0ST (MS_SVCH0ST) - Unknown owner - C:\WINDOWS\system\SVCH0ST.EXE (file missing)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\winsys16_070212.dll
C:\WINDOWS\system32\4023cfsb.dll
C:\WINDOWS\SYSTEM32\wzcdgwfs.dll
C:\WINDOWS\SYSTEM32\cryptimg.dll
C:\WINDOWS\system32\PvSec.dll

Reboot back to normal mode now.

Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Also post a new Hijackthis log. :thumbsup:

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 02 March 2007 - 03:45 PM

Also, please do the following.

Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.

#10 simon_sum

simon_sum
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 06 March 2007 - 01:32 AM

Hi Trojantor,

Thanks thanks!

Here is the Hijack startup list log:

StartupList report, 6/3/2007, 14:26:54
StartupList version: 1.52.2
Started from : C:\HijackThis\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\73A20428.exe
C:\WINDOWS\system32\ffudf.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\caissdt.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
c:\windows\system32\wbem\lsass.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WLAN Cardbus.lnk = C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Tpwrtray = TPWRTRAY.EXE
TMESRV.EXE = "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
TMESBS.EXE = "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
TMERzCtl.EXE = "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
TMEEJME.EXE = "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE"
TFNF5 = TFNF5.exe
PHIME2002ASync = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
PHIME2002A = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
MSPY2002 = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
LVCOMS = "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
00THotkey = C:\WINDOWS\System32\00THotkey.exe
000StTHK = 000StTHK.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
cctray = "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
CAVRID = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
sdafdsafds = D;]XJOEPXT]ufnq]273/fyf
CaISSDT = "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
ParetoLogic Anti-Spyware = "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= wzcdgwfs.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssflwbox.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {0efe0990-30ef-49a9-8b0d-4e03f37a8dbf}
(no name) - (no file) - {2b90035b-3c8e-4f11-8b0d-4e03f37a8dbf}
(no name) - (no file) - {3e135435-906a-4ba7-8b0d-4e03f37a8dbf}
(no name) - (no file) - {533e2477-930b-4c04-8b0d-4e03f37a8dbf}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5cbb9272-0bec-4d37-8b0d-4e03f37a8dbf}
(no name) - C:\WINDOWS\system32\4023cfsb.dll - {607904cc-60bd-4023-8b0d-4e03f37a8dbf}
(no name) - (no file) - {6832cebe-ca9d-46ae-8b0d-4e03f37a8dbf}
(no name) - C:\WINDOWS\system32\4023cfsb.dll - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF}
(no name) - (no file) - {7abf1a68-0002-4c5c-8b0d-4e03f37a8dbf}
(no name) - (no file) - {7e96ccd6-38db-4db8-8b0d-4e03f37a8dbf}
(no name) - (no file) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - c:\program files\google\googletoolbar5.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - (no file) - {ad23e382-d375-460a-8b0d-4e03f37a8dbf}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - C:\WINDOWS\system32\4ba6ntos.dll - {e8c4fd49-a7c7-4ba6-ae2b-1b294ae19f4f}
(no name) - (no file) - {f4c488d3-c273-43e7-8b0d-4e03f37a8dbf}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job
ParetoLogic Anti-Spyware.job
RegCure.job
XoftSpySE.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab

[{00000075-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/3/9...heckControl.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

[EPUImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1136266324798

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[{8A94C905-FF9D-43B6-8708-F0F22D22B1CB}]
CODEBASE = http://www.worldwinner.com/games/shared/wwlaunch.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7611.0837731482

[Webshots Photo Uploader]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSPHOT~1.OCX
CODEBASE = http://community.webshots.com/html/WSPhotoUploader.CAB

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[PreQualifier Class]
InProcServer32 = C:\Program Files\Common Files\Verizon Online\Motive\MotivePreQual.dll
CODEBASE = http://www.verizon.net/checkmypc/includes/MotivePreQual.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[SproutLauncherCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SproutWebLauncher.dll
CODEBASE = http://download.games.yahoo.com/games/web_...outLauncher.cab

[AxRUploadControl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxRUploadServer.dll
CODEBASE = http://www.imagestation.com/common/classes....cab?v=1,0,0,25

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\VetRedir.dll
Protocol #2: C:\WINDOWS\system32\VetRedir.dll
Protocol #3: C:\WINDOWS\system32\VetRedir.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\rsvpsp.dll
Protocol #8: C:\WINDOWS\system32\rsvpsp.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\VetRedir.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

00004cc0: system32\drivers\00004cc0.SYS (system)
9D098E82: C:\WINDOWS\system32\9D098E82.EXE -service (autostart)
Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Manager: C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE C:\WINDOWS\SYSTEM32\WBEM\KCRKV.DLL,Export 1087 (autostart)
byzhlgd: system32\drivers\byzhlgd.sys (system)
CAISafe: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CdaD10BA: \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
cn_cmt: system32\drivers\cn_cmt.sys (system)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Realtek EAPPkt Protocol: System32\DRIVERS\EAPPkt.sys (autostart)
ecyjtsg: system32\drivers\ecyjtsg.sys (system)
elrpzn48: System32\DRIVERS\elrpzn48.sys (system)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
ffpbek: \??\C:\WINDOWS\system32\drivers\ffpbek.sys (autostart)
FltMgr: system32\drivers\fltmgr.sys (system)
fsb: \??\C:\WINDOWS\system32\drivers\fsb.sys (autostart)
FsVga: System32\DRIVERS\fsvga.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Gentad: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
hidproc: \??\C:\WINDOWS\system32\drivers\hidproc.sys (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i82440bx: \??\C:\WINDOWS\system32\drivers\i82440bx.sys (disabled)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
System Administrator: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
jsefusf: C:\WINDOWS\system32\jsefusf.exe -service (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042Pr2.sys (manual start)
lanfs: \??\C:\WINDOWS\system32\drivers\lanfs.sys (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
W0RKSTATI0N: C:\WINDOWS\system\WINSP00L.EXE (autostart)
lflclc: \SystemRoot\System32\drivers\lflclc.sys (system)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.sys (manual start)
Logitech USB Receiver device driver: system32\drivers\LHidUsb.Sys (manual start)
Logitech Keyboard Class Filter Driver: System32\DRIVERS\LKbdFlt2.sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.sys (manual start)
Logitech USB Microphone: system32\drivers\lvsound2.sys (system)
Messenger: %SystemRoot%\System32\svchost -k DcomLaunch (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft IR Communications Driver: System32\DRIVERS\MSIRCOMM.sys (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
MICR0SOFT SVCH0ST: C:\WINDOWS\system\SVCH0ST.EXE (autostart)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Std nmpy Service: C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\feht\srud.dll,Service -s (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WindowsNt Workstation: %SystemRoot%\System32\svchost.exe -k NTWorkStan (autostart)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
parcls: \??\C:\WINDOWS\system32\drivers\parcls.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Logitech QuickCam Web(PID_0850): System32\DRIVERS\LVCE.sys (manual start)
qhetvi17: System32\DRIVERS\qhetvi17.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Remote Access Connection Management: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
romman: \??\C:\WINDOWS\system32\drivers\romman.sys (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
802.11b Wireless LAN PC Card: System32\DRIVERS\RTL8180.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SMC IrCC Miniport Device Driver: System32\DRIVERS\smcirda.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sqlserver support for winnt: %SystemRoot%\System32\svchost.exe -k sqlservech (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{070B4A55-E247-4538-949F-5EB0B461FBD2} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
SysEnforce: C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (autostart)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
TMEI3E: System32\Drivers\TMEI3E.SYS (system)
Tmesbs32: "C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (autostart)
Tmesrv3: "C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (autostart)
TOSHIBA Software Modem: System32\DRIVERS\LTSM.sys (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Toshiba ACPI-Based Value Added Logical Device Driver: System32\DRIVERS\TVALD.SYS (system)
Toshiba Value Added Logical and General Purpose Device Driver: System32\DRIVERS\TVALG.SYS (system)
Network System: C:\Program Files\Common Files\COMM\Network.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
vcharp: \??\C:\WINDOWS\system32\drivers\vcharp.sys (autostart)
VET Message Service: C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
wbeh_d: system32\drivers\wbeh_d.sys (system)
Microsoft WDM Virtual Wave Driver (WDM): system32\drivers\wdmaud.sys (system)
YAMAHA AC-XG Audio Device: system32\drivers\yacxg.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless LAN PC Card Driver: System32\DRIVERS\wlluc48.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
WindowsNt Network Engine: %SystemRoot%\System32\svchost.exe -k wnttech (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
wspipe: \??\C:\WINDOWS\system32\drivers\wspipe.sys (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Vsn wvvh Service: C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\COMMON~1\sybn\gfiu.dll,Service (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
WebSecurity: C:\WINDOWS\system32\PvSec.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 44,551 bytes
Report generated in 0.371 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


and then the blacklight:

03/06/07 05:28:44 [Info]: BlackLight Engine 1.0.55 initialized
03/06/07 05:28:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/06/07 05:28:46 [Note]: 7019 4
03/06/07 05:28:46 [Note]: 7005 0
03/06/07 05:28:46 [Error]: 6027 5
03/06/07 05:28:47 [Error]: 6002 0
03/06/07 05:28:49 [Note]: 7006 0
03/06/07 05:28:49 [Note]: 7011 1452
03/06/07 05:28:49 [Note]: 8001 2
03/06/07 05:28:59 [Note]: FSRAW library version 1.7.1021
03/06/07 05:58:01 [Note]: 2000 1012
03/06/07 05:58:01 [Note]: 2000 1012
03/06/07 05:58:01 [Note]: 2000 1012
03/06/07 11:11:29 [Note]: 7007 0


I think there is some problem in running the blacklight. Besides, I still have unlimited pop up IEs and window defender cannot eliminate something called: Caifu

The 1b3d toolbad has changed its name again, so annoying! thanks and hope you can help! thanks

Simon

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 06 March 2007 - 09:48 AM

Can I have a new Hijackthis log please.

#12 simon_sum

simon_sum
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 07 March 2007 - 08:17 PM

hi, here is the log

Logfile of HijackThis v1.99.1
Scan saved at 9:14:27, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\73A20428.exe
C:\WINDOWS\system32\ffudf.exe
C:\WINDOWS\System32\svchost.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\windows\system32\wbem\lsass.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\caissdt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HijackThis\hijackthis\HijackThis.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Installation.exe

R3 - URLSearchHook: 3a4e - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4c06ntos.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07c88174-3a4e-4c06-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4c06ntos.dll
O2 - BHO: (no name) - {0efe0990-30ef-49a9-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O2 - BHO: (no name) - {2b90035b-3c8e-4f11-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {3e135435-906a-4ba7-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {533e2477-930b-4c04-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5cbb9272-0bec-4d37-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: (no name) - {6832cebe-ca9d-46ae-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll
O2 - BHO: (no name) - {7abf1a68-0002-4c5c-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {7e96ccd6-38db-4db8-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {8146aeae-c1e0-4c7d-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {ad23e382-d375-460a-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {e658350c-fe8a-4364-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {f4c488d3-c273-43e7-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {fd430675-3741-4ea6-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {ff69e855-aff3-4983-8b0d-4e03f37a8dbf} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: 3a4e - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4c06ntos.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE" /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [sdafdsafds] D;]XJOEPXT]ufnq]273/fyf
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Cardbus.lnk = C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136266324798
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,25
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: wzcdgwfs.dll
O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptimg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSec.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: W0RKSTATI0N (LANMANW0RKSTATI0N) - Unknown owner - C:\WINDOWS\system\WINSP00L.EXE (file missing)
O23 - Service: MICR0SOFT SVCH0ST (MS_SVCH0ST) - Unknown owner - C:\WINDOWS\system\SVCH0ST.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Network System (Universal Disk Manager) - Unknown owner - C:\Program Files\Common Files\COMM\Network.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

thanks!

Simon

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 08 March 2007 - 12:14 PM

Hiya Simon.

It's time to pull out the big tools now; your system is absolutely filled with rootkits, hidden drivers, and other processes that are stopping the fix, so I want to try and unload the drivers, then delete the files/folders related on a reboot. I want you to do these steps very very carefully, as there is no room for error. I never bring out this tool unless I feel it is really needed, and if used incorrectly it can cause a lot of damage; I have a feeling you have maybe missed a few of my steps in the past, so I need you to make sure everything is done perfectly. Firstly thing I want you to do is to get rid of ParetoLogic Anti-Spyware completely from your computer, you can uninstall it through add/remove. If you paid for it, then keep it, but I don't really recommend the program at all.

Also disable Windows Defender, because it may interfere as well.;
To turn real-time protection off
Open Windows Defender. (Click Start, click Programs, and then click Windows Defender.)
Click Tools, and then click General Settings.
Under Real-time protection options, Uncheck the Turn on real-time protection (recommended) check box.
Then click Save.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
00004cc0
9D098E82
byzhlgd
cn_cmt
ecyjtsg
elrpzn48
ffpbek
fsb
hidproc
jsefusf
lanfs
W0RKSTATI0N
lflclc
MICR0SOFT SVCH0ST
Std nmpy Service
parcls
qhetvi17
romman
vcharp
wbeh_d
wspipe
Vsn wvvh Service

Files to Delete:
C:\WINDOWS\system32\drivers\00004cc0.SYS
C:\WINDOWS\system32\PvSec.dll
C:\WINDOWS\system32\9D098E82.EXE
C:\WINDOWS\system32\drivers\byzhlgd.sys
C:\WINDOWS\system32\drivers\cn_cmt.sys
C:\WINDOWS\system32\drivers\jtsg.sys
C:\WINDOWS\system32\drivers\elrpzn48.sys
C:\WINDOWS\system32\drivers\ffpbek.sys
C:\WINDOWS\system32\drivers\fsb.sys
C:\WINDOWS\system32\drivers\hidproc.sys
C:\WINDOWS\system32\jsefusf.exe
C:\WINDOWS\system32\drivers\lanfs.sys
C:\WINDOWS\system\WINSP00L.EXE
C:\WINDOWS\system32\drivers\lflclc.sys
C:\WINDOWS\system\SVCH0ST.EXE
C:\WINDOWS\system32\drivers\parcls.sys
C:\WINDOWS\system32\drivers\qhetvi17.sys
C:\WINDOWS\system32\drivers\romman.sys
C:\WINDOWS\system32\drivers\vcharp.sys
C:\WINDOWS\system32\drivers\wbeh_d.sys
C:\WINDOWS\system32\drivers\wspipe.sys
C:\WINDOWS\SYSTEM32\cryptimg.dll
C:\WINDOWS\system32\wzcdgwfs.dll
C:\WINDOWS\system32\4ba6ntos.dll
C:\WINDOWS\system32\4023cfsb.dll
C:\WINDOWS\system32\winsys16_070212.dll

Folders to delete:
C:\Program Files\feht
C:\Program Files\Common Files\sybn


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:56 PM

Posted 08 March 2007 - 12:26 PM

Also, please post a new Hijackthis log! :thumbsup:

#15 simon_sum

simon_sum
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 09 March 2007 - 12:03 AM

hi Dr. Trojanator!

Thanks so much for your reply! I feel better after running the program already! here is the log of Avenger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lhudkfan

*******************

Script file located at: \??\C:\nmwimlfi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver 00004cc0 unloaded successfully.
Driver 9D098E82 unloaded successfully.
Driver byzhlgd unloaded successfully.
Driver cn_cmt unloaded successfully.
Driver ecyjtsg unloaded successfully.
Driver elrpzn48 unloaded successfully.


Registry key \Registry\Machine\System\CurrentControlSet\Services\ffpbek not found!
Unload of driver ffpbek failed!

Could not process line:
ffpbek
Status: 0xc0000034

Driver fsb unloaded successfully.
Driver hidproc unloaded successfully.
Driver jsefusf unloaded successfully.
Driver lanfs unloaded successfully.


Registry key \Registry\Machine\System\CurrentControlSet\Services\W0RKSTATI0N not found!
Unload of driver W0RKSTATI0N failed!

Could not process line:
W0RKSTATI0N
Status: 0xc0000034

Driver lflclc unloaded successfully.


Registry key \Registry\Machine\System\CurrentControlSet\Services\MICR0SOFT SVCH0ST not found!
Unload of driver MICR0SOFT SVCH0ST failed!

Could not process line:
MICR0SOFT SVCH0ST
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\Std nmpy Service not found!
Unload of driver Std nmpy Service failed!

Could not process line:
Std nmpy Service
Status: 0xc0000034

Driver parcls unloaded successfully.
Driver qhetvi17 unloaded successfully.
Driver romman unloaded successfully.
Driver vcharp unloaded successfully.
Driver wbeh_d unloaded successfully.
Driver wspipe unloaded successfully.


Registry key \Registry\Machine\System\CurrentControlSet\Services\Vsn wvvh Service not found!
Unload of driver Vsn wvvh Service failed!

Could not process line:
Vsn wvvh Service
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\00004cc0.SYS deleted successfully.
File C:\WINDOWS\system32\PvSec.dll deleted successfully.
File C:\WINDOWS\system32\9D098E82.EXE deleted successfully.
File C:\WINDOWS\system32\drivers\byzhlgd.sys deleted successfully.
File C:\WINDOWS\system32\drivers\cn_cmt.sys deleted successfully.


File C:\WINDOWS\system32\drivers\jtsg.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\jtsg.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\jtsg.sys
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\elrpzn48.sys deleted successfully.
File C:\WINDOWS\system32\drivers\ffpbek.sys deleted successfully.
File C:\WINDOWS\system32\drivers\fsb.sys deleted successfully.
File C:\WINDOWS\system32\drivers\hidproc.sys deleted successfully.
File C:\WINDOWS\system32\jsefusf.exe deleted successfully.
File C:\WINDOWS\system32\drivers\lanfs.sys deleted successfully.


File C:\WINDOWS\system\WINSP00L.EXE not found!
Deletion of file C:\WINDOWS\system\WINSP00L.EXE failed!

Could not process line:
C:\WINDOWS\system\WINSP00L.EXE
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\lflclc.sys deleted successfully.


File C:\WINDOWS\system\SVCH0ST.EXE not found!
Deletion of file C:\WINDOWS\system\SVCH0ST.EXE failed!

Could not process line:
C:\WINDOWS\system\SVCH0ST.EXE
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\parcls.sys deleted successfully.
File C:\WINDOWS\system32\drivers\qhetvi17.sys deleted successfully.
File C:\WINDOWS\system32\drivers\romman.sys deleted successfully.


File C:\WINDOWS\system32\drivers\vcharp.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\vcharp.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\vcharp.sys
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\wbeh_d.sys deleted successfully.
File C:\WINDOWS\system32\drivers\wspipe.sys deleted successfully.
File C:\WINDOWS\SYSTEM32\cryptimg.dll deleted successfully.


File C:\WINDOWS\system32\wzcdgwfs.dll not found!
Deletion of file C:\WINDOWS\system32\wzcdgwfs.dll failed!

Could not process line:
C:\WINDOWS\system32\wzcdgwfs.dll
Status: 0xc0000034

File C:\WINDOWS\system32\4ba6ntos.dll deleted successfully.
File C:\WINDOWS\system32\4023cfsb.dll deleted successfully.
File C:\WINDOWS\system32\winsys16_070212.dll deleted successfully.
Folder C:\Program Files\feht deleted successfully.


Folder C:\Program Files\Common Files\sybn not found!
Deletion of folder C:\Program Files\Common Files\sybn failed!

Could not process line:
C:\Program Files\Common Files\sybn
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

and then the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 13:00:37, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TFNF5.exe
c:\windows\system32\wbem\lsass.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\caissdt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\KYE Systems Corp\802.11b Wireless LAN PC Card\RtlWake.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\hijackthis\HijackThis.exe

R3 - URLSearchHook: 495e - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4efdntos.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070212.dll start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0efe0990-30ef-49a9-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {2b90035b-3c8e-4f11-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {35439529-495e-4efd-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4efdntos.dll
O2 - BHO: (no name) - {3e135435-906a-4ba7-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {468c0452-fcd2-4e67-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {50b21866-7db8-4088-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {533e2477-930b-4c04-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5cbb9272-0bec-4d37-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {607904cc-60bd-4023-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4023cfsb.dll (file missing)
O2 - BHO: (no name) - {6832cebe-ca9d-46ae-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: NewsWatch Class - {6BD97C5B-7A34-4AE9-8B0D-4E03F37A8DBF} - C:\WINDOWS\system32\4023cfsb.dll (file missing)
O2 - BHO: (no name) - {6e5b764b-afba-45d3-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\45d3ntos.dll
O2 - BHO: (no name) - {7abf1a68-0002-4c5c-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {7e96ccd6-38db-4db8-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {8146aeae-c1e0-4c7d-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {83ee07b4-10c1-410e-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {ad23e382-d375-460a-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: (no name) - {af2488ff-fb9c-49ed-8b0d-4e03f37a8dbf} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll



Need to tell you that since IE pop up all the times, I have uninstalled IE now since I am using Firefox, please let me know when is the best time for me to install IE back! thanks thanks thanks so much


Simon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users