Jump to content


Photo

problem: frequent vietnamese website popups, very slow startup


  • This topic is locked This topic is locked
3 replies to this topic

#1 phuphu

phuphu

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 February 2007 - 08:55 AM

Hi guys. Any help is greatly appreciated, thank you in advance!

edit: i have also attached the bitdefender online scan report following the avg report, it is quite long and i couldn't figure out how to post it in its original formatting. i couldn't use html??

edit: have also added f-secure scan report

I am having a problem with frequent popups, regardless of whether I have a browser (mozilla or IE) window open at all. I left the laptop running overnight and there must've been over 50 popups in that time. They mostly seem to be vietnamese websites (my dad uses this laptop quite a bit and frequents vietnamese websites for chess, news, and sports).

The following are the most frequent websites that popup:
http://khoweb.com
http://nhac3.com
http://ibay.hk
http://uphinh.com
http://hoanghamobile.com
http://swisspress.info
http://24toy.com
http://khogame.com
http://photo.vnn777.com


Links pooched! Please do not post live links to probable malware sites. - Indrid_Cold

Also, system startup is very sluggish, I haven't timed it but it seems to take well in excess of 5 minutes to fully startup and not stall when I try to run a program. I have an Asus A3500L laptop, Celeron M 1.30Ghz and 256MB DDR PC2700.

I am using Symantec AntiVirus 2004 (Full version 9.0.1.1000) and it has not detected any viruses.

I have run the full scan from the Trend Micro website, it detected several trojans and viruses, all of which i chose to remove/disinfect/delete. I did not save the log or take note of the detected viruses/trojans unfortunately.

I have Lavasoft Ad-aware SE 1.06r1 with the latest updates and I have run a full system scan as per the FAQ instructions. It did not come up with anything.

I have the latest SpywareBlaster with the latest updates.

I have the latest Spybot - Search & Destroy with the latest updates and have run a full scan, I do not completely remember what it detected but I believe it was mostly tracking cookies. I am also running Spybot-SD Resident.

I have AVG Anti-Spyware 7.5 (which apparently has replaced Ewido) and have attached a log of the full system scan after the HijackThis log.

I have read the forum FAQ and followed the directions.


This is the HijackThis log, run with no browser windows or programs open (apart from programs running in the background and in the taskbar - antivirus and such).

Logfile of HijackThis v1.99.1
Scan saved at 11:47:09 PM, on 1/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 203.161.78.58 viethacker.org # thang nay thuong hack website nguoi khac
O1 - Hosts: 203.161.78.58 www.viethacker.org
O1 - Hosts: 203.161.78.58 www.huyenanh.ws # thang nay thuong hack website nguoi khac
O1 - Hosts: 203.161.78.58 huyenanh.ws
O1 - Hosts: 203.161.78.58 huexua.net # thang nay tha virus an cap pass cua yahoo
O1 - Hosts: 203.161.78.58 www.huexua.net
O1 - Hosts: 203.161.78.58 haibatrung.info # thang nay tha virus an cap pass cua yahoo
O1 - Hosts: 203.161.78.58 www.haibatrung.info
O1 - Hosts: 203.161.78.58 prompt.zangocash.com # thang nay thuong hack website nguoi khac va chen virus
O1 - Hosts: 203.161.78.58 dongdat.com # thang nay co hang lo website sexy va thuong DDoS nguoi khac, co lan da tan cong DDoS hvaonline.net
O1 - Hosts: 203.161.78.58 www.dongdat.com
O1 - Hosts: 203.161.78.58 thu-dam.net #thang nay khoi can noi cung biet la sexy roi
O1 - Hosts: 203.161.78.58 www.thu-dam.net
O1 - Hosts: 203.161.78.58 thudam.net #thang nay khoi can noi cung biet la sexy roi
O1 - Hosts: 203.161.78.58 giacmongdem.com #Website sexy, chu nhan cua no la www.dongdat.com
O1 - Hosts: 203.161.78.58 www.giacmongdem.com
O1 - Hosts: 203.161.78.58 giacmongdem.net #Website sexy, chu nhan cua no la www.dongdat.com
O1 - Hosts: 203.161.78.58 www.giacmongdem.net
O1 - Hosts: 203.161.78.58 phimvn.net.ms #Website sexy, chu nhan cua no la www.dongdat.com
O1 - Hosts: 203.161.78.58 www.phimvn.net.ms
O1 - Hosts: 203.161.78.58 cakhuc.net.tf
O1 - Hosts: 203.161.78.58 www.cakhuc.net.tf
O1 - Hosts: 203.161.78.58 belood.com
O1 - Hosts: 203.161.78.58 www.belood.com
O1 - Hosts: 203.161.78.58 91daklak.com
O1 - Hosts: 203.161.78.58 www.91daklak.com
O1 - Hosts: 203.161.78.58 songdong.net
O1 - Hosts: 203.161.78.58 www.songdong.net
O1 - Hosts: 203.161.78.58 dantruongx.info
O1 - Hosts: 203.161.78.58 www.dantruongx.info
O1 - Hosts: 203.161.78.58 diachi.int.tl
O1 - Hosts: 203.161.78.58 www.diachi.int.tl
O1 - Hosts: 203.161.78.58 timdiachi.net
O1 - Hosts: 203.161.78.58 www.timdiachi.net
O1 - Hosts: 203.161.78.58 mynhanquan.com
O1 - Hosts: 203.161.78.58 www.mynhanquan.com
O1 - Hosts: 203.161.78.58 viemarket.com
O1 - Hosts: 203.161.78.58 www.viemarket.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ZCfgSvc.exe] c:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150280327218
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:46:44 AM 2/02/2007
+ Scan result:

:mozilla.100:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.166:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.91:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.99:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.39:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.40:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.41:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.42:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.141:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.140:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.131:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.137:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.138:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.84:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.6:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.184:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.185:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.85:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.171:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.173:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.175:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.176:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.134:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.135:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.136:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.151:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.152:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.153:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.155:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.159:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.178:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.179:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.8:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.9:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.169:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.60:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.61:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.63:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.65:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.142:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.115:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.116:C:\Documents and Settings\Huong Tang\Application Data\Mozilla\Firefox\Profiles\pewdr53d.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
::Report end


BitDefender Online Scanner
Scan report generated at: Fri, Feb 02, 2007 - 03:12:03
Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;
Statistics
Time
01:23:17
Files
537194
Folders
3540
Boot Sectors
6
Archives
7149
Packed Files
67020
Results
Identified Viruses
6
Infected Files
11
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
11

Engines Info
Virus Definitions
417603
Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)
Scan plugins
14
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1

Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800001.VBN=>REMOVED_NULLS
Infected with: Exploit.Onload.A
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800001.VBN=>REMOVED_NULLS
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800001.VBN
Update failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Matrix.class
Infected with: Java.Trojan.Downloader.OpenStream.C

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Matrix.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Matrix.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Counter.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Counter.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Counter.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Dummy.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Dummy.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Dummy.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Parser.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Parser.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)=>Parser.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\loaderadv771.jar-7730088f-5fc5964a.zip.bac_a03824
Update failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\xpladv771[1].wmf.bac_a03824
Infected with: Exploit.Win32.WMF-PFV.C

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\xpladv771[1].wmf.bac_a03824
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\xpladv771[1].wmf.bac_a03824
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>GetAccess.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>GetAccess.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>GetAccess.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>Installer.class
Infected with: Trojan.Downloader.Java.Openconnection.AJ

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>Installer.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>Installer.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>NewSecurityClassLoader.class
Infected with: Java.Trojan.Exploit.Byteverify.G

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>NewSecurityClassLoader.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>NewSecurityClassLoader.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>NewURLClassLoader.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>NewURLClassLoader.class
Disinfection failed

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)=>NewURLClassLoader.class
Deleted

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824=>(Quarantine-4)
Updated

C:\Documents and Settings\Huong Tang\.housecall6.6\Quarantine\java.jar-43ab48a0-5af2edc3.zip.bac_a03824
Update failed

C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv771.jar-7730088f-5fc5964a.zip=>Matrix.class
Infected with: Java.Trojan.Downloader.OpenStream.C

C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv771.jar-7730088f-5fc5964a.zip=>Matrix.class
Disinfection failed

C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv771.jar-7730088f-5fc5964a.zip=>Matrix.class
Deleted

C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv771.jar-7730088f-5fc5964a.zip
Updated



F-Secure Scanning Report
Friday, February 02, 2007 12:07:47 - 19:35:49

Computer name:
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 2 malware found
Exploit.JS.ADODB.Stream.e (virus)

* C:\DOCUMENTS AND SETTINGS\HUONG TANG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\W2YZ90SA\SET[1].HTM

Windows (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 30221
* System: 4042
* Not scanned: 3

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\HIBERFIL.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-02-02
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 2007-01-29
* F-Secure Libra: 2.4.2, 2007-02-01
* F-Secure Orion: 1.2.37, 2007-02-01
* F-Secure Pegasus: 1.19.0, 2007-00-31

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

Edited by phuphu, 02 February 2007 - 09:03 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,490 posts

Posted 04 February 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 3,838 posts

Posted 06 February 2007 - 03:00 AM

Hi phuphu,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

Please post a fresh HijackThis log in this thread, so I can be sure nothing has changed and give you an accurate fix.

OK, letís do this first.

Please download HostsXpert and save it to your desktop:
  • Extract the zip file to your desktop or a permanent folder on your hard drive.
  • Open the folder and double-click on HostsXpert.exe
  • Make sure that the "Make hosts writable?" button in the upper right corner is checked.
  • Click "Back up host files".
  • Click "Restore original hosts".
  • Click "OK" and exit the program.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

NEXT:

Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log.

How are things running now?

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 Sempurna

Sempurna

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 3,838 posts

Posted 02 March 2007 - 11:17 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button