• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
DZhong777

Help with Spyware Infection

13 posts in this topic

About 2 days ago I was infected with quite a bit of spyware. It's hard to remember when, but I think it may have been while watching a video from tv-links.co.uk. At first it was only about one pop-up for every time I viewed a new page, but now it has progressed to the point where if I am online for more than a few minutes, the window becomes flooded with new tabs, and even disconnecting the internet continues to open new windows. The ads are mainly for virus detection or spyware removal, although there are gambling, dating and vacation sites. At first it spawned some shortcuts on the desktop to "Free Laptops" and "Spyware checks" and such things but those were solved after running ad-aware. So far I have run both ad-aware and spybot as well as "Spy Catcher" whose active spyware prevention does nothing. Right now I am running in Safe Mode. The computer runs slightly slower, but not drastically. The slowdown mainly applies to startup. My browser has not been hijacked. My old Norton anti-virus detected nothing. Windows firewall doesn't prevent it. The popups remain prevalent, and I have read the FAQ. My HiJackThis log, which was taken during safemode if that makes a difference:

 

Logfile of HijackThis v1.99.1

Scan saved at 7:04:29 PM, on 6/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [infoMyCa.exe] C:\Program Files\Wireless 802.11g Monitor\InfoMyCa.exe

O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [{56-66-6A-AD-ZN}] C:\windows\system32\nndsregr.exe CHD003

O4 - HKLM\..\Run: [fcbarpuA] C:\WINDOWS\fcbarpuA.exe

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinoodt.exe CHD003

O4 - HKLM\..\Run: [spyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: Watch.lnk = C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe

O4 - Global Startup: ??????.lnk

O4 - Global Startup: ????????.lnk

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: Transtar Help - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE

O9 - Extra 'Tools' menuitem: ??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.telechart.tv/tcinstall/setup.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://weiminzhong.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {59324688-BAB1-4EC0-999A-BFA50D3D4F1D} (FullCtrl Class) - http://chat.qq.com/activex/curver/webvqq.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx

O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: secuload.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

 

Thank you very much in advanced. This is very important to me and any help is greatly appreciated. I will try my best to answer any questions.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

1. Download this file - ComboFix

2. Double click combofix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

jedi

Share this post


Link to post
Share on other sites

Thanks

 

ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe

"Owner" - 2007-06-25 18:07:24 - Service Pack 2 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\vkbynyoa.dll

C:\WINDOWS\system32\wswamnvp.dll

C:\WINDOWS\system32\aoynybkv.ini

C:\WINDOWS\system32\pvnmawsw.ini

C:\WINDOWS\system32\hjkmp.bak1

C:\WINDOWS\system32\hjkmp.bak2

C:\WINDOWS\system32\hjkmp.ini

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Owner\APPLIC~1.\crosof~1

C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\BJE854DX\www.inter-focus.cn

C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\BJE854DX\www.inter-focus.cn\IF240180JP_016.swf\IFFLASHAD.sol

C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn

C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol

C:\Program Files\Common Files\ecurit~1

C:\Temp\0b9

C:\Temp\0b9\tmpTF.log

C:\Temp\tn3

C:\WINDOWS\cs_cache.ini

C:\WINDOWS\rau001978.exe

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\core.sys

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CORE

-------\LEGACY_NET_AGENT

-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS

-------\core

-------\Net Agent

 

 

((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))

 

 

2007-06-25 18:06 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-15 14:09 75,512 --a------ C:\WINDOWS\zllsputility.exe

2007-06-15 14:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-06-15 14:09 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

2007-06-15 14:08 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll

2007-06-15 14:08 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2007-06-15 14:07 <DIR> d-------- C:\WINDOWS\Internet Logs

2007-06-14 14:20 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-13 18:56 1,200,128 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-13 18:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS

2007-06-13 18:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver

2007-06-13 18:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink

2007-06-13 18:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL

2007-06-13 18:15 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Tenebril

2007-06-13 18:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril

2007-06-13 17:42 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll

2007-06-13 17:42 <DIR> d-------- C:\WINDOWS\system32\tenarchlib

2007-06-13 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-06-12 16:30 <DIR> d-------- C:\Program Files\Lavasoft

2007-06-12 16:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-06-12 16:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-12 13:16 <DIR> d-------- C:\WINDOWS\system32\win

2007-06-12 13:16 <DIR> d-------- C:\WINDOWS\system32\A2

2007-06-12 13:16 <DIR> d-------- C:\WINDOWS\system32\A1

2007-06-12 13:15 <DIR> d-------- C:\WINDOWS\system32\o02PrEz

2007-06-12 13:15 <DIR> d-------- C:\Temp\iee

2007-06-12 13:15 <DIR> d-------- C:\Temp

2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-24 19:19:18 336 ----a-w C:\WINDOWS\system32\Tablet.dat

2007-06-18 05:26:28 -------- d-----w C:\Program Files\Starcraft

2007-06-15 23:34:41 -------- d-----w C:\Program Files\Yahoo!

2007-06-14 20:09:41 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-14 20:09:39 -------- d-----w C:\Program Files\Symantec

2007-06-14 06:38:16 -------- d-----w C:\Program Files\Norton AntiVirus

2007-06-13 23:04:21 -------- d-----w C:\Program Files\NZSearch

2007-06-13 10:11:59 -------- d-----w C:\Program Files\Pure Networks

2007-06-13 07:09:31 -------- d-----w C:\Program Files\Common Files\AOL

2007-06-13 07:08:29 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AOL

2007-06-05 03:29:40 -------- d-----w C:\Program Files\Windows Live Toolbar

2007-05-30 06:31:35 40,552 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT

2007-05-20 05:39:18 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DivX

2007-05-19 05:41:20 -------- d-----w C:\Program Files\DivX

2007-05-16 23:19:09 35,382 ----a-w C:\WINDOWS\scunin.dat

2007-05-16 23:19:05 967 ----a-w C:\WINDOWS\ScUnin.pif

2007-05-16 23:19:05 94,208 ----a-w C:\WINDOWS\ScUnin.exe

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-13 08:11:39 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll

2007-04-26 03:44:18 -------- d-----w C:\Program Files\Common Files\Borland Shared

2007-04-26 03:44:17 -------- d-----w C:\Program Files\Cosmi

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-04-23 00:15:24 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe

2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]

{0A87E45F-537A-40B4-B812-E2544C21A09F}=C:\Program Files\SpyCatcher\SCActiveBlock.dll []

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]

{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}=C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-04-18 19:04]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2006-10-12 11:38]

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 15:56]

{CC591E3C-80AF-DC0E-8A7C-FFADA8977590}=C:\WINDOWS\system32\czt.dll []

{E5D4C195-316D-42A2-94CE-A2925DAA6BEE}=C:\WINDOWS\system32\pmkjh.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2004-09-02 20:47 C:\WINDOWS\system32\SiSPower.dll]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 02:42]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 02:20]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 02:20]

"InfoMyCa.exe"="C:\Program Files\Wireless 802.11g Monitor\InfoMyCa.exe" []

"XPFix"="C:\Program Files\Wireless 802.11g Monitor\XPFix.exe" [2004-08-11 02:56]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-02 03:39]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-30 21:00]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 C:\WINDOWS\SOUNDMAN.EXE]

"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-12-01 17:04]

"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2005-09-21 15:40]

"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 18:30]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-13 23:44]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2004-12-22 20:08]

"Kuro_M7"="" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]

"SAutoLaunchExe"="C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE" [2003-09-22 15:31]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 19:00]

"Zbgajuna"="C:\Program Files\Common Files\?ecurity\?poolsv.exe" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffdb]

hggffdb.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjh]

C:\WINDOWS\system32\pmkjh.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-26 00:51:01 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

2007-06-26 01:11:28 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-25 18:17:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

 

Completion time: 2007-06-25 18:22:25 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-25 18:21

 

--- E O F ---

Share this post


Link to post
Share on other sites

I don't know if this is relevent but:

 

2006-09-26 23:23	  124	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\Macromedia\Flash Player\#SharedObjects\BJE854DX\www.inter-focus.cn\IF240180JP_016.swf\IFFLASHAD.sol.vir
2006-09-26 23:23	  88	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol.vir
2007-04-24 09:21	  9248	--a------	C:\Qoobox\Quarantine\C\Temp\0b9\tmpTF.log.vir
2007-06-12 13:15	  164787	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2007-06-12 13:15	  72832	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
2007-06-12 13:16	  34816	--a------	C:\Qoobox\Quarantine\C\WINDOWS\rau001978.exe.vir
2007-06-12 13:17	  4364	--a------	C:\Qoobox\Quarantine\C\WINDOWS\cs_cache.ini.vir
2007-06-12 13:26	  1808512	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hjkmp.bak1.vir
2007-06-13 15:49	  124436	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wswamnvp.dll.vir
2007-06-13 15:49	  943923	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pvnmawsw.ini.vir
2007-06-14 16:55	  1847760	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hjkmp.bak2.vir
2007-06-14 16:56	  124436	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vkbynyoa.dll.vir
2007-06-14 18:31	  1838567	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\hjkmp.ini.vir
2007-06-25 11:59	  793243	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\aoynybkv.ini.vir
2007-06-25 18:12	  1220	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-06-25 18:12	  2526	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Net Agent.reg.cf
2007-06-25 18:12	  814	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NET_AGENT.reg.cf
2007-06-25 18:12	  950	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
2007-06-25 18:12	  994	--a------	C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
2007-06-25 18:13	  218938	--a------	C:\Qoobox\Quarantine\catchme2007-06-25_181700.35.zip
2007-06-25 18:13	  340	--a------	C:\Qoobox\Quarantine\catchme.log


Folder PATH listing
Volume serial number is E015-66AD
C:\QOOBOX
\---Quarantine
|   catchme.log
|   catchme2007-06-25_181700.35.zip
|   
+---C
|   +---DOCUME~1
|   |   \---Owner
|   |	   \---APPLIC~1
|   |		   \---Macromedia
|   |			   \---Flash Player
|   |				   +---#SharedObjects
|   |				   |   \---BJE854DX
|   |				   |	   \---www.inter-focus.cn
|   |				   |		   \---IF240180JP_016.swf
|   |				   |				   IFFLASHAD.sol.vir
|   |				   |				   
|   |				   \---macromedia.com
|   |					   \---support
|   |						   \---flashplayer
|   |							   \---sys
|   |								   \---#www.inter-focus.cn
|   |										   settings.sol.vir
|   |										   
|   +---Temp
|   |   \---0b9
|   |		   tmpTF.log.vir
|   |		   
|   \---WINDOWS
|	   |   cs_cache.ini.vir
|	   |   rau001978.exe.vir
|	   |   
|	   \---system32
|		   |   aoynybkv.ini.vir
|		   |   hjkmp.bak1.vir
|		   |   hjkmp.bak2.vir
|		   |   hjkmp.ini.vir
|		   |   pvnmawsw.ini.vir
|		   |   vkbynyoa.dll.vir
|		   |   wswamnvp.dll.vir
|		   |   
|		   \---drivers
|				   core.cache.dsk.vir
|				   core.sys.vir
|				   
\---Registry_backups
		LEGACY_CORE.reg.cf
		LEGACY_NET_AGENT.reg.cf
		LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
		services_core.reg.cf
		services_Net Agent.reg.cf

Share this post


Link to post
Share on other sites

Hi again,

 

Ok, that's thinned out the malware, please now do the following:

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Please also post a fresh HiJackThis log.

 

jedi

Share this post


Link to post
Share on other sites

vkbynyoa.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;

wswamnvp.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;

A0075613.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP500;Trojan.Virtumod;Deleted.;

A0077433.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP502;Trojan.Virtumod;Deleted.;

A0077439.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP502;Trojan.Virtumod;Deleted.;

A0078469.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP502;Trojan.StartPage.20109;Deleted.;

A0079694.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP504;Trojan.Virtumod;Deleted.;

A0079797.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP504;Trojan.Virtumod;Deleted.;

A0079987.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP505;Trojan.Virtumod;Deleted.;

A0082041.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP514;Trojan.Virtumod;Deleted.;

A0082042.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP514;Trojan.Virtumod;Deleted.;

 

HiJack This:

 

Logfile of HijackThis v1.99.1

Scan saved at 5:12:10 PM, on 6/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Wireless 802.11g Monitor\XPFix.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\Wtablet\TabUserW.exe

C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: (no name) - {CC591E3C-80AF-DC0E-8A7C-FFADA8977590} - C:\WINDOWS\system32\czt.dll (file missing)

O2 - BHO: (no name) - {E5D4C195-316D-42A2-94CE-A2925DAA6BEE} - C:\WINDOWS\system32\pmkjh.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [infoMyCa.exe] C:\Program Files\Wireless 802.11g Monitor\InfoMyCa.exe

O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sAutoLaunchExe] C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [Zbgajuna] "C:\Program Files\Common Files\?ecurity\?poolsv.exe"

O4 - Startup: ??QQ.lnk

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: Watch.lnk = C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe

O4 - Global Startup: ??????.lnk

O4 - Global Startup: ????????.lnk

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: Transtar Help - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.telechart.tv/tcinstall/setup.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://weiminzhong.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {59324688-BAB1-4EC0-999A-BFA50D3D4F1D} (FullCtrl Class) - http://chat.qq.com/activex/curver/webvqq.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx

O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: hggffdb - hggffdb.dll (file missing)

O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Hi again,

 

Scan with HiJackThis and put a check in the box next to the following items;

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {CC591E3C-80AF-DC0E-8A7C-FFADA8977590} - C:\WINDOWS\system32\czt.dll (file missing)

O2 - BHO: (no name) - {E5D4C195-316D-42A2-94CE-A2925DAA6BEE} - C:\WINDOWS\system32\pmkjh.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKCU\..\Run: [Zbgajuna] "C:\Program Files\Common Files\?ecurity\?poolsv.exe"

O20 - Winlogon Notify: hggffdb - hggffdb.dll (file missing)

O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll (file missing)

 

Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

 

Restart.

 

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

 

jedi

Share this post


Link to post
Share on other sites

Thank you for your speedy responses and help.

 

Logfile of HijackThis v1.99.1

Scan saved at 3:25:34 PM, on 6/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Wireless 802.11g Monitor\XPFix.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\Wtablet\TabUserW.exe

C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe

C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [infoMyCa.exe] C:\Program Files\Wireless 802.11g Monitor\InfoMyCa.exe

O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sAutoLaunchExe] C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - Startup: ??QQ.lnk

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: Watch.lnk = C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe

O4 - Global Startup: ??????.lnk

O4 - Global Startup: ????????.lnk

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O8 - Extra context menu item: ???QQ????? - C:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: ???QQ?? - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: ?QQ??????? - C:\Program Files\Tencent\QQ\SendMMS.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: Transtar Help - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra 'Tools' menuitem: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.telechart.tv/tcinstall/setup.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://weiminzhong.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {59324688-BAB1-4EC0-999A-BFA50D3D4F1D} (FullCtrl Class) - http://chat.qq.com/activex/curver/webvqq.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx

O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Hi again,

 

OK, your log looks clean, how is your PC performing now?

 

jedi

Share this post


Link to post
Share on other sites

You're most welcome. :)

 

In order to be better protected in the future, I recommend the following programs:

 

SpywareBlaster protects against bad ActiveX.

http://www.javacoolsoftware.com/spywareblaster.html

 

SpywareGuard stops Spyware from being installed.

http://www.javacoolsoftware.com/spywareguard.html

 

Also install the MVPS hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

which blocks innocent looking sites that are not so innocent.

 

All three are very small free programs that you run once, and then just occasionally to check for updates.

 

Also see

How did I get Infected?

 

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking

here http://v4.windowsupdate.microsoft.com/

and following the prompts.

 

Take care.

 

jedi :wave:

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0