• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
dreamz0708

PSW.Generic3.WCQ and Downloader.Generic4.FGS

39 posts in this topic

Hi, happen to search the net and found this forum. Appreciate if someone could help me out.

Currently, I am using my friend's com as my com is unable to connect to internet since yesterday.

 

This is the situation:

Before my internet is down, the AVG found two virus files: "avp.exe" (PSW.Generic3.WCQ) and "hsvwer3.dll" (PSW.Generic3.WSV). AVG helps to clean it and i thought everything will be fine. But minutes later, the internet connection is down.

 

And I scan my com with AVG again.This time round it found 5 virus files:

- Local Settings\Temporary Internet Files\Content.IE5\AYZFXWFN\PM[1].exe (Downloader.Generic4.FGS)

- Local Settings\Temporary Internet Files\Content.IE5\OTC70RSV\tw[1].exe (PSW.Generic3.WLJ)

- C:\WINDOWS\~tmp3017.exe (Downloader.Generic4.FGS)

- C:\WINDOWS\system32\spolsv.exe (Downloader.Generic4.FGS)

- C:\WINDOWS\Temp\svcipa.exe (Downloader.Generic3.VVP)

 

AVG helps to heal it but one hour later, it detects another two virus files:

- A0306003.exe (PSW.Generic3.WCQ)

- A0306016.exe (Downloader.Generic4.FGS)

 

I did a scan on AVG, Ad-aware, Spyware doc. Cleared the infected files but still unable to connect to internet. And one more thing is my printer is suddenly disabled and I'm unable to reinstall it. I'm not sure whether it got to do with the virus or trogan horse.

 

This is my Hijackthis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 21:26:25, on 21/04/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\HHVcdV5Sys\VC5SecS.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\System32\TrayIcon.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HHVcdV5Sys\VC5Play.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\SPYWAR~1\swdoctor.exe

C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe

C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qq345.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.ntu.edu.sg/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ntu.edu.sg:8080

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [_28598c] C:\WINDOWS\System32\_28598c.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q

O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: MagicTune3.5.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NaturalColorLoad.lnk = ?

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\hsvwer3.dll' missing

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg

O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {AA218328-0EA8-4D70-8972-E987A9190FF4} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\System32\spolsv.exe (file missing)

O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe

O23 - Service: Audio Adapter (VGADown) - Unknown owner - C:\WINDOWS\avp.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

Thanks a million in advance. :)

Edited by dreamz0708

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi dreamz0708, and Welcome to SWI

 

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

 

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

 

One or more of the items you need to remove is a backdoor application can allow attackers to access your computer, stealing passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.

 

Since you cannot connect to the Internet, you will need to download these utilities from another system and transfer them to your system, I'd burn them to a CD-R. If you transfer the first utility (LSPfix) via a floppy, it's possible that you may be able to connect after running it and then download the rest from your system if you can then connect. If you still can't connect, you will need to download these files (in addition to LSPfix) and transfer them to your system (they are also listed in the instructions below):

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

 

 

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

 

To deactivate Spyware Doctor's OnGuard Tools

 

1. From within Spyware Doctor, click the "OnGuard" button on the left side.

2. Uncheck "Activate OnGuard".

 

You can reenable it once your system is clean.

 

Download LSPfix from

http://www.downloads.subratam.org/lspfix.zip and unzip it to its own folder.

 

Run the program, and check "I know what I'm doing", and then select each instance of "hsvwer3.dll" in the left-hand panel and click >> to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

 

Restart your system.

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum in your next reply.

Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

 

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [_28598c] C:\WINDOWS\System32\_28598c.exe <-- note the underscore in the file name

O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\System32\spolsv.exe (file missing)

O23 - Service: Audio Adapter (VGADown) - Unknown owner - C:\WINDOWS\avp.exe (file missing)

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

 

Using Windows Explorer, locate the following files/folders, and delete them (if still there):

C:\WINDOWS\System32\_28598c.exe

C:\WINDOWS\System32\mxpsp.exe

C:\WINDOWS\System32\spolsv.exe

C:\WINDOWS\avp.exe

 

Restart your system

 

Please post a new HijackThis log, the log from SDFix (Report.txt), then in a second reply, the log from Dr. Web CureIt (DrWeb.csv), and note any errors encountered.

 

Can you connect to the Internet now?

Share this post


Link to post
Share on other sites

Hi TheJoker, Thanks alot for the advise and help! I have been looking forward for it. Finally I'm able to connect to internet!

 

This is the latest HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 04:39:23, on 29/04/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\HHVcdV5Sys\VC5SecS.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\System32\TrayIcon.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HHVcdV5Sys\VC5Play.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\SPYWAR~1\swdoctor.exe

C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe

C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

C:\WINDOWS\System32\ZoneLabs\vsmon.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qq345.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.ntu.edu.sg/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ntu.edu.sg:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: MagicTune3.5.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NaturalColorLoad.lnk = ?

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg

O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {AA218328-0EA8-4D70-8972-E987A9190FF4} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\System32\spolsv.exe (file missing)

O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe

O23 - Service: Audio Adapter (VGADown) - Unknown owner - C:\WINDOWS\avp.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

SDFix Report:

 

SDFix: Version 1.80

 

Run by chai - 29/04/2007 - 2:19:56.87

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

 

Modified mswsock.dll Found!

 

File Locations:

 

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\dllcache\mswsock.dll

 

Infected files:

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\WINDOWS\SYSTEM32\ERASEM~1.EXE - Deleted

C:\WINDOWS\system32\eraseme_86466.exe - Deleted

C:\WINDOWS\odbc.INI - Deleted

C:\WINDOWS\system32\i - Deleted

C:\WINDOWS\system32\TFTP1232 - Deleted

C:\WINDOWS\system32\TFTP460 - Deleted

 

 

 

Removing Temp Files

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"D:\\PPStream\\PPStream.exe"="D:\\PPStream\\PPStream.exe:*:Enabled:PPStream"

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Checking For Files with Hidden Attributes:

 

C:\Documents and Settings\chai\NetHood\gchart on yes933.com.sg\Desktop.ini

C:\Documents and Settings\chai\NetHood\www.peacefuldreamz.netfirms.com\Desktop.ini

C:\Documents and Settings\chai\Application Data\Microsoft\Word\~WRL0005.tmp

C:\Documents and Settings\chai\Application Data\Microsoft\Word\~WRL0437.tmp

C:\Documents and Settings\chai\Application Data\Microsoft\Word\~WRL0903.tmp

C:\Documents and Settings\chai\Application Data\Microsoft\Word\~WRL2936.tmp

C:\Documents and Settings\chai\Application Data\Microsoft\Word\~WRL3157.tmp

 

Finished

Share this post


Link to post
Share on other sites

Log from Dr Web

mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;

Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;

msefoi.dll;C:\WINDOWS\system32;Adware.Ezula;Incurable.Moved.;

patch.exe;D:\K800i\K800-K790a Games And Software\Software\Mobile.Music.Polyphonic.v1.3-HERiTAGE;Tool.ASEye.2;Incurable.Moved.;

mirc.exe;D:\SHE collections\S.H.E ambience;Program.mIRC.616;Incurable.Moved.;

S.H.E Ambience.exe;D:\SHE collections\S.H.E ambience;Program.mIRC.582;Incurable.Moved.;

A0302938.exe;D:\System Volume Information\_restore{2E6A2B73-B1F5-413E-9518-16A9D763B7F1}\RP367;Probably DLOADER.Trojan;Incurable.Moved

 

 

Problem remained:

- Printer unable to install. It has no problem before infected by the trojan horse.

- "D-drive" double-click unable to open. It shows a popup "Window cannot find pagefile.pif." and ask to type in the executable file to be used instead. This problem was left behind by the past trojan horse that was partially fixed. Therefore, I use right-click to open up D-drive.

 

Sorry for taking part of ur precious time to help me out. Thanks alot.

Share this post


Link to post
Share on other sites

From the SDFix log, you have a file that was modified, so we need to find locations that it's at other than the ones listed in that log.

 

Download FileFind by Atribune and save the file to your Desktop.

Extract FileFind.exe to the Desktop and run it by double-clicking on it.

In the box labeled "Enter the directory to search", enter:

 

C:\Windows

 

In the box labeled "Enter the file to search", enter:

 

mswsock.dll

 

Now click on the "Find" button

Once the utility has found the files click on "Export"

This will save a text file to C:\Export.txt

Double click on Export.txt, copy and paste this information in your next post.

 

 

Using Windows Explorer, locate the following files that Dr.Web CureIt moved to

C:\Documents and Settings\chai\DoctorWeb\quarantine and move them back to their original location:

 

mirc.exe --> move back to C:\Program Files\mIRC

Process.exe --> move back to C:\SDFix\apps

 

 

Please be sure Spyware Doctor's OnGuard Tools are still disabled.

To deactivate Spyware Doctor's OnGuard Tools

 

1. From within Spyware Doctor, click the "OnGuard" button on the left side.

2. Uncheck "Activate OnGuard".

 

You can reenable it once your system is clean.

 

Please run Notepad and copy the following text into a new file:

 

sc config Spooler start= disabled
sc stop Spooler
sc delete Spooler
sc config VGADown start= disabled
sc stop VGADown
sc delete VGADown

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. Please note any errors encountered.

 

Run Panda's online virus scan and perform a full system scan.

Once you are on the Panda site click the Scan your PC button

  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please restart your system and post a new HijackThis log.

Do your problems remain trying to reinstall your printer and with double-clicking on your D: drive?

Share this post


Link to post
Share on other sites

Yes, the two problems still remain.

 

Panda Active scan result:

 

Adware:Adware/ZapSpot Not disinfected C:\Documents and Settings\chai\Application Data\ZapSpot\System\Etc\P3OfrMgr.exe

 

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\chai\Cookies\chai@doubleclick[1].txt

 

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\chai\Desktop\SDFix.exe[sDFix\apps\Process.exe]

 

Adware:Adware/eZula Not disinfected C:\Documents and Settings\chai\DoctorWeb\Quarantine\msefoi.dll

 

Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

 

Adware:Adware/Ipend Not disinfected C:\WINDOWS\system32\mshlol.dll

 

Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\system32\msiaih.dll

 

Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini

 

 

New HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 15:53:01, on 29/04/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\System32\TrayIcon.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HHVcdV5Sys\VC5Play.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\SPYWAR~1\swdoctor.exe

C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe

C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\HHVcdV5Sys\VC5SecS.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qq345.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.ntu.edu.sg/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ntu.edu.sg:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: MagicTune3.5.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NaturalColorLoad.lnk = ?

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg

O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AA218328-0EA8-4D70-8972-E987A9190FF4} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

You still need to do this (or post the results if you already ran it):

 

Download FileFind by Atribune and save the file to your Desktop.

Extract FileFind.exe to the Desktop and run it by double-clicking on it.

In the box labeled "Enter the directory to search", enter:

 

C:\Windows

 

In the box labeled "Enter the file to search", enter:

 

mswsock.dll

 

Now click on the "Find" button

Once the utility has found the files click on "Export"

This will save a text file to C:\Export.txt

Double click on Export.txt, copy and paste this information in your next post.

 

Using Windows Explorer, delete the following folder and files:

C:\Documents and Settings\chai\Application Data\ZapSpot <-- folder

C:\Documents and Settings\chai\DoctorWeb\Quarantine\msefoi.dll

C:\WINDOWS\system32\mshlol.dll

C:\WINDOWS\system32\msiaih.dll

C:\WINDOWS\ubber60.ini

 

Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

 

1) Run Ad-Aware, and click Check for updates now.

 

2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.

 

3) To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next

4) When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u1-windows-i586-p.exe that you downloaded to install the newest version.

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs

(if you have script protection, please allow this to run)

 

In the dialog that opens enter the following:

zapspot

 

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

 

Please post a new HijackThis log, the text exported by FileFind, and the text from the Registry Search Tool, and note any errors encountered.

Share this post


Link to post
Share on other sites

Oops sorry. :) forgotten about the filefind.

 

HJT Log:

Logfile of HijackThis v1.99.1

Scan saved at 23:00:40, on 29/04/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\System32\TrayIcon.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HHVcdV5Sys\VC5Play.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\SPYWAR~1\swdoctor.exe

C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe

C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\HHVcdV5Sys\VC5SecS.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\msiexec.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qq345.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.ntu.edu.sg/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ntu.edu.sg:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: MagicTune3.5.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NaturalColorLoad.lnk = ?

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg

O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AA218328-0EA8-4D70-8972-E987A9190FF4} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

 

FileFind Export log:

C:\Windows\system32\mswsock.dll - 228352 Bytes

C:\Windows\system32\dllcache\mswsock.dll - 228352 Bytes

 

 

 

Registry Search tool:

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "zapspot" 29/04/2007 22:54:56

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ZML]

@="ZapSpot.ZML.1"

 

 

 

Another thing to add is that two of my friends on my msn messager have received msg from me that provides links to spyware site, which was not send by me.

Edited by dreamz0708

Share this post


Link to post
Share on other sites

Reconfigure Windows XP to show hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

 

Download mswsock.dll from here:

http://www.dll-files.com/dllindex/dll-files.shtml?mswsock

Click where it says: Click here to go to the download of mswsock.dll

In the pop-up window, click where it says: Download mswsock.dll

Save the file mswsock.zip to your Desktop

Extract mswsock.dll from the zip archive and save it to the following folders, overwriting the file that's currently there:

C:\Windows\system32\dllcache <-- replace the one in this folder first

C:\Windows\system32

 

Now you need to hide the files you un-hid earlier:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading unselect "Show hidden files and folders".

Check the "Hide protected operating system files (recommended)" option.

Click Yes to confirm. Click OK.

 

Please run the following instructions in this order.

 

Please run Notepad and paste the following text in the Code box into a new file:

 

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ZML]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

 

Download ComboFix© by sUBs from one of these links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Save the file to your Desktop.

Double click combofix.exe & follow the prompts.

Don't click on the ComboFix window while its running; that could cause it to stall.

When finished, and after reboot, it should open a log, combofix.txt.

Post that log in your next reply.

 

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).

First, please close all other open programs, including any non-essential programs running in your System Tray (do NOT close your antivirus or firewall).

Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

 

Please post a new HijackThis log, the log from the Kaspersky's online scan, and in a second reply (due to length) the log from ComboFix (combofix.txt) and note any errors encountered.

Share this post


Link to post
Share on other sites

Manage to replace the dll file in dllcache, but unable to replace the dll file into system32.

 

Extracting to "C:\WINDOWS\system32\"

Use Path: no Overlay Files: no

Error: The process cannot access the file because it is being used by another process.

Cannot create C:\WINDOWS\system32\mswsock.dll

Share this post


Link to post
Share on other sites

Extract mswsock.dll to a convenient location.

 

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.

If done right a Windows Advanced Options menu will appear. Select the Safe Mode option (without networking) and press Enter.

To return to normal mode just restart your computer as you normally would.

 

Now try to move the file to your System32 folder.

 

Restart your system.

 

If that didn't work, run the System File Checker.

You may need your Windows Installation CD for this step.

Now please go to Start -> Run -> cmd and press Enter. At the command prompt type sfc /scannow, making sure to put a space between the "c" and the slash, and then press Enter. This will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested. Then please restart your computer.

 

Then continue with the rest of the previous instructions.

Share this post


Link to post
Share on other sites

Ok I need the Window Installation CD but I don't have one right now with me.

I may need to get back home in the next few days to search for it before I come back.

 

May I get back to you a few days later..?

how long am I able to leave this forum..?

Share this post


Link to post
Share on other sites

Go ahead and run the System FIle Checker.

It only asks for the install CD if it has to replace a file, and can't find it in one of several other folders first.

If it asks for the disc, stop it and run it once you find the disc.

Don't worry about waiting a few days, I won't close the topic, and should be notified by the board when you make a reply.

Share this post


Link to post
Share on other sites

Hi, I'm back. Thanks for ur patience.

 

I run the System File Checker and insert the Window installation CD as required. After it runs finish, there's no report or anything. It closes itself. Then I restart the com and try to replace the mswsock.dll in system32 again but the same problem arise.

Share this post


Link to post
Share on other sites

Create a Restore Point

  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close

Let's make sure you still have hidden files/folders showing.

Reconfigure Windows XP to show hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

 

Let's try to turn off Windows File Protection:

Please run Notepad and copy (don't try to type this, you could have a typo) & paste the following text in the Code box into a new file:

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:ffffff9d

Save the file to the desktop as sfc-off.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on sfc-off.reg, and click Yes to merge it with the registry.

 

Restart your system.

 

Now replace the mswsock.dll in the following folders with the copy you downloaded:

C:\Windows\system32\dllcache

C:\Windows\system32

 

Let's turn Windows File Protection back on:

Please run Notepad and copy (don't try to type this, you could have a typo) & paste the following text in the Code box into a new file:

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000

Save the file to the desktop as sfc-on.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on sfc-on.reg, and click Yes to merge it with the registry.

 

Restart your system.

 

Did you encounter any errors?

Share this post


Link to post
Share on other sites

After doubleclick on the sfc-off.reg and restart the com, I still unable to replace the mswsock.dll into system32. The same error appears again.

Share this post


Link to post
Share on other sites

I just had pointed out to me by one of the Experts on the board, LonnyRJones, that that detection was due to a problem with SDFix that has since been fixed, and there's nothing actually wrong with your copy of mswsock.dll.

 

Be sure you have run the second script I posted to restore that registry setting back to the default.

 

Then please run Kaspersky's online virus check and ComboFix as previously requested and post their logs, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

HJT Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 16:55:39, on 10/05/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\HHVcdV5Sys\VC5SecS.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\System32\TrayIcon.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HHVcdV5Sys\VC5Play.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\SPYWAR~1\swdoctor.exe

C:\Program Files\SEC\MagicTune3.5_Client\GammaTray.exe

C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\VideoLAN\VLC\vlc.exe

C:\HJT\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.ntu.edu.sg/proxy.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ntu.edu.sg:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: MagicTune3.5.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NaturalColorLoad.lnk = ?

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg

O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AA218328-0EA8-4D70-8972-E987A9190FF4} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - http://activex.microsoft.com/objects/ocget.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

Kav Scan Log:

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Thursday, May 10, 2007 4:52:03 PM

Operating System: Microsoft Windows XP Professional, (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 10/05/2007

Kaspersky Anti-Virus database records: 316062

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

L:\

 

Scan Statistics:

Total number of scanned objects: 71332

Number of viruses found: 6

Number of infected objects: 10 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:12:13

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\chai\.housecall\Quarantine\Favorite.dll.bac_a01952 Infected: not-a-virus:AdWare.Win32.Favman.a skipped

C:\Documents and Settings\chai\.housecall\Quarantine\iezset.exe.bac_a01952 Infected: not-a-virus:AdWare.Win32.EZula.ac skipped

C:\Documents and Settings\chai\.housecall6.6\Quarantine\Favorite.dll.bac_a01952 Infected: not-a-virus:AdWare.Win32.Favman.a skipped

C:\Documents and Settings\chai\.housecall6.6\Quarantine\iezset.exe.bac_a01952 Infected: not-a-virus:AdWare.Win32.EZula.ac skipped

C:\Documents and Settings\chai\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\chai\DoctorWeb\Quarantine\mirc___0.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\Documents and Settings\chai\DoctorWeb\Quarantine\S.H.E Ambience.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.582 skipped

C:\Documents and Settings\chai\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\chai\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\chai\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\chai\Local Settings\History\History.IE5\MSHist012007051020070511\index.dat Object is locked skipped

C:\Documents and Settings\chai\Local Settings\Temp\~DFD1CA.tmp Object is locked skipped

C:\Documents and Settings\chai\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\chai\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\chai\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\System Volume Information\_restore{2E6A2B73-B1F5-413E-9518-16A9D763B7F1}\RP405\A0315916.dll Infected: not-a-virus:AdWare.Win32.Ipend skipped

C:\System Volume Information\_restore{2E6A2B73-B1F5-413E-9518-16A9D763B7F1}\RP405\change.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\METEOR.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\Temp\ZLT03b0e.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

D:\System Volume Information\_restore{2E6A2B73-B1F5-413E-9518-16A9D763B7F1}\RP405\change.log Object is locked skipped

 

Scan process completed.

Share this post


Link to post
Share on other sites

ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\chai\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

d:\autorun.inf

C:\install.log

 

 

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\nm

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))

 

 

2007-04-29 02:36 <DIR> d-------- C:\DOCUME~1\chai\DoctorWeb

2007-04-22 23:04 <DIR> d-------- C:\HJT

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-05-10 06:50:02 -------- d-----w C:\Program Files\mIRC

2007-04-29 07:16:49 -------- d-----w C:\Program Files\Spyware Doctor

2007-04-29 07:09:07 -------- d-----w C:\Program Files\HHVcdV5Sys

2007-04-07 15:35:05 202,240 ----a-w C:\WINDOWS\system32\screensaver_100.scr

2007-04-04 17:04:09 -------- d-----w C:\Program Files\MIKSOFT

2007-04-04 15:20:26 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-03-29 09:59:28 -------- d-----w C:\DOCUME~1\chai\APPLIC~1\vlc

2007-03-29 09:52:32 -------- d-----w C:\Program Files\VideoLAN

2007-03-28 09:28:38 26,123 ----a-w C:\WINDOWS\scunin.dat

2007-03-28 09:28:36 967 ----a-w C:\WINDOWS\ScUnin.pif

2007-03-28 09:28:36 70,656 ----a-w C:\WINDOWS\ScUnin.exe

2007-03-27 19:11:02 -------- d-----w C:\Program Files\iWin.com

2007-03-20 14:27:25 -------- d-----w C:\Program Files\Veoh Networks

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"

"{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}"="C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll"

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

"{9394EDE7-C8B5-483E-8773-474BF36AF6E4}"="C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll"

"{B56A7D7D-6927-48C8-A975-17DF180C71AC}"="C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll"

"{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"="C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"C-Media Speaker Configuration"="C:\\PROGRA~1\\C-Media\\WIN_ME\\Setup.exe /SPEAKER"

"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"

"DisplayTrayIcon"="C:\\WINDOWS\\System32\\TrayIcon.exe"

"nwiz"="nwiz.exe /install"

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"AME_CSA"="rundll32 amecsa.cpl,RUN_DLL"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"

"VC5Player"="C:\\Program Files\\HHVcdV5Sys\\VC5Play.exe"

"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"

"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"

"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

"Spyware Doctor"="C:\\PROGRA~1\\SPYWAR~1\\swdoctor.exe /Q"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Microsoft Mapped PC"="mapppc.exe"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"Btn_Back"=dword:00000000

"Btn_Forward"=dword:00000000

"Btn_Stop"=dword:00000000

"Btn_Refresh"=dword:00000000

"Btn_Home"=dword:00000000

"Btn_Search"=dword:00000000

"Btn_History"=dword:00000000

"Btn_Favorites"=dword:00000000

"Btn_Folders"=dword:00000000

"Btn_Fullscreen"=dword:00000000

"Btn_Tools"=dword:00000000

"Btn_MailNews"=dword:00000000

"Btn_Size"=dword:00000000

"Btn_Print"=dword:00000000

"Btn_Edit"=dword:00000000

"Btn_Discussions"=dword:00000000

"Btn_Cut"=dword:00000000

"Btn_Copy"=dword:00000000

"Btn_Paste"=dword:00000000

"Btn_Encoding"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source REG_SZ http://stars.udn.com/star/download/Downloa...14desktop01.jpg

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

Source REG_SZ http://tw.music.yahoo.com/picture/118/m_1521.gif

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

Source REG_SZ http://www.him.com.tw/news/photo/s.h.e[%E4%B8%8D%E6%83%B3%E9%95%B7%E5%A4%A7]mv01.jpg

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]

Source REG_SZ http://www.bankersonline.com/images/ambition.jpg

 

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages msv1_0\0\0

Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages scecli\0\0

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccregvfy

"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\datalayer

C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mediaxpservicepack

mxpsp.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft mapped pc

mapppc.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mirabilis icq

C:\Program Files\ICQ\NDetect.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau

"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl

C:\Program Files\Windows Media Player\wmplayer.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerocheck

C:\WINDOWS\system32\NeroCheck.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nokia tray application

C:\Program Files\Common Files\Nokia\Tools\NclTray.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pointer

point32.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seli

C:\WINDOWS\exe82.exe

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent

"C:\Program Files\Winamp3\\winampa.exe"

 

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService DnsCache\0\0

rpcss RpcSs\0\0

imgsvc StiSvc\0\0

termsvcs TermService\0\0

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

 

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070429-042232-205

R3 - Default URLSearchHook is missing

backup-20070429-042232-297

O23 - Service: Audio Adapter (VGADown) - Unknown owner - C:\WINDOWS\avp.exe (file missing)

backup-20070429-042232-902

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\System32\spolsv.exe (file missing)

backup-20070429-042232-123

O4 - HKLM\..\Run: [_28598c] C:\WINDOWS\System32\_28598c.exe

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Symantec NetDetect.job

 

********************************************************************

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-10 15:14:13

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-10 15:15:18 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-10 15:15

 

 

 

Thx for the help. :)

btw the mswsock.dll in the system32 and dllcache have different file size as the downloaded mswsock.dll. So it's all rite..?

Share this post


Link to post
Share on other sites

You can delete the file version you downloaded. The reason they are a different size is that you've never updated your copy of Windows. Why have you never updated it? You haven't even installed SP1 yet. Unless you install SP2 and all critical updates, you will continue to be vulnerable. You should immediately go to Windows Update and install SP2 and all critical updates. After you do that, please post another HijackThis log and I will check it for you. Until you do, your system will remain vulnerable, and it's only a matter of time until you become re-infected.

Share this post


Link to post
Share on other sites

oh dear... i went to update to SP2 but the com restarted during half way. Then it said the setup was interrupted and attempted to restore. It restarted again and after the Window loading bar, it hang at the login window. The mouse is able to move, however there wasn't any user account for me to click on.

 

i dun know what should i do... perhap it's time for me to reformat the hdd.

 

anyway, thx for all the help. :)

Share this post


Link to post
Share on other sites

Let's see if you can repair the windows installation.

 

XP Repair install

 

Boot the computer using the XP CD. You may need to change the boot order in the system BIOS so the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and change the boot order. When you see the "Welcome To Setup" screen, you will see the options below. This portion of the Setup program prepares Microsoft.

 

Windows XP to run on your computer:

 

To setup Windows XP now, press ENTER.

 

To repair a Windows XP installation using Recovery Console, press R.

 

To quit Setup without installing Windows XP, press F3.

 

Press Enter to start the Windows Setup. do not choose "To repair a Windows XP installation using the Recovery Console, press R", (you Do Not want to load Recovery Console). I repeat, do not choose "To repair a Windows XP installation using the Recovery Console, press R".

 

Accept the License Agreement and Windows will search for existing Windows installations. Select the XP installation you want to repair from the list and press R to start the repair. If Repair is not one of the options, END setup. After the reboot read Warning#2!

 

Setup will copy the necessary files to the hard drive and reboot. Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.

 

You will need to go to Windows Update and reinstall all the critical updates after you do that.

Did that work?

Share this post


Link to post
Share on other sites

"Setup will copy the necessary files to the hard drive and reboot. Do not press any key to boot from CD when the message appears."

 

after the above instruction is done, i get into the window installation. it require a file to continue, but it can't find from the default directory.

 

"The file 'asms' on Windows XP Professional CD-ROM is needed."Type the path where the file is located, and then click OK"

the default directory is "GLOBALROOT\DEVICE\CDROM\I386".

 

is it my CD has problem, or the directory is wrong..?

Share this post


Link to post
Share on other sites

Is your install CD an original MS install CD with a hologram, or is it a burned disc?

Share this post


Link to post
Share on other sites

Original.

I backup the files on another harddisk and had reformat the drive.

Currently is updated to SP2.

 

Thanks for all the help, TheJoker. =)

Share this post


Link to post
Share on other sites

Even though you reformatted and reinstalled, I recommend posting a new HijackThis log and I'll review it for you.

Share this post


Link to post
Share on other sites

New HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:39:04 PM, on 6/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\WF2K.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\NotifyPhoneBook.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe C:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{91083F24-629F-4586-87FA-F0C2D3C33C81}: NameServer = 165.21.83.88 165.21.100.88

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

 

Even though i have reformat the drive, i encounter some problems when connecting to internet.

I need to restart my com a few times before i can get a successful dialup connection. Sometimes after the surfing the net a while, a error box will pop out saying tat the "Generic Win32" encounters error and need to be shut down. Then it will disconnect from the internet and unable to dial-up again.

 

Is it that my drivers are not install properly?

Share this post


Link to post
Share on other sites

Run HijackThis and click "Do a system scan only." Place a check next to the following entry (if still there):

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entry you checked.

 

Right-click on My Computer and select Properties.

Click on the Automatic Updates tab.

Select Turn off Automatic Updates.

Click Ok.

Restart your system.

 

Did turning off Automatic Updates fix the error?

If it did, you need to remember to periodically check for Windows Updates, MS tries to schedule their release on the second Tuesday of each month, although there may be an update at any time if it's important enough.

 

Please post a new HijackThis log.

Share this post


Link to post
Share on other sites

New HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:12:13 PM, on 6/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\WF2K.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\NotifyPhoneBook.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\HJT\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe C:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{91083F24-629F-4586-87FA-F0C2D3C33C81}: NameServer = 165.21.83.88 165.21.100.88

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

 

 

 

Thx for the prompt reply. :)

I turned off the automatic update, but the problem still persist.

I got the exactly same problem as this guy. They too have not solved the problem yet.

I tried to search the net now see if could find any solutions.

 

http://forums.spywareinfo.com/index.php?showtopic=100083

 

Hi ! The initial problem is still there. I still got the error message "Generic Host Process Win32 Services". The message appears 5~15 mins later once i connect to the internet. The taskbar will changed to windows XP style to the classic style for a while, then change back. I tried to disconnect my internet but is not able to.

 

*edited:

A piece of info to add on... I click on the technical error report when the "Generic Host process Win32 Services" error msg pop out.

 

C:\DOCUME~1\pd\LOCALS~1\Temp\WERe3db.dir00\svchost.exe.mdmp

C:\DOCUME~1\pd\LOCALS~1\Temp\WERe3db.dir00\appcompat.txt

Edited by dreamz0708

Share this post


Link to post
Share on other sites

Can you post the contents of:

C:\Documents and Settings\pd\Local Settings\Temp\WERe3db.dir00\appcompat.txt

 

If it's too large, you can zip it and attach it to your reply.

Share this post


Link to post
Share on other sites

I can't find the folder WERe3db.dir00, instead i found WER6edc.dir00. But the file is not there.

I tried to do a search for the txt but also no result.

 

The updated patch might have done something.

Share this post


Link to post
Share on other sites

I'm glad to hear that the problem seems to have been eliminated. :D

 

Create a Restore Point

  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close

Remember to periodically go to Windows Update (Start > Windows Update) to check for and install all Critical and Security updates.

 

Run Disk Cleanup

  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK

    [*]When Disk Cleanup opens, select the More Options tab

    [*]In the System Restore section (bottom of window), click Cleanup

    • In the confirmation window that opens, click Yes

    [*]Now click on the Disk Cleanup tab and select the following items:

    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files

    [*]Click OK

    [*]in the confirmation window, select Yes (Disk Cleanup will close).

There are several free utilities you can use to help keep malware off your system:

 

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/winhelp2002/hosts.htm.

 

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewarrior.com/uiuc/resource.htm.

 

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacoolsoftware.com/products.html.

 

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywareinfo.com/index.php?showtopic=60955

 

Does your problem appear resolved?

Share this post


Link to post
Share on other sites

Currently think there's no problem encounter. :)

 

Really thanks for all the help and guidances. :) I have learnt alot in protecting my computer.

 

btw, should i use Mozilla or IE to surf net..? Seems tat most programs like MVPS HOSTS, IE-SPYAD, Spybot - Search & Destroy's Immunize Feature are all protecting IE. But the Tony Klein's article "So How did I get Infected in the First Place?" say it's better to use Mozilla. So which browser should I use..? If i use Mozilla, any recommended settings to step up the security?

Share this post


Link to post
Share on other sites

I would recommend using FireFox for your browsing, it's more secure than Internet Explorer. For some sites you will still need Internet Explorer, such as most online virus scanners, and Windows Update.

 

If i use Mozilla, any recommended settings to step up the security?

Here's a site for some suggested Firefox security settings:

http://www.techspot.com/guides/44-firefox2...uide/page7.html

 

Does that help?

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0