Help with "Privacy Protector" malware!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

libcal

Thread Starter
Joined
Oct 31, 2007
Messages
4
My stupid mistake by accepting an ActiveObject in IE and now my wallpaper has been changed to this PrivacyProtection malware and three shortcuts added.

Please see my Hijackthis log below and help me!

Thanks!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:30 AM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Mobility Client\artstartsvc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\progra~1\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\notes\ntmulti.exe
C:\WINDOWS\System32\QCONSVC.EXE
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\progra~1\c4ebreg\isamtray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: TBSB06559 - {5E65C12C-D4DE-4FBA-B548-4DF4E5F78819} - C:\PROGRA~1\IBMTOO~1\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: MSVPS System - {90CF5384-7C70-4CD6-A30D-B2F14537B5C3} - C:\WINDOWS\movctrlwxq.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: IBM Toolbar - {83DC8BD3-AB6C-4E32-BF78-40F1200D598E} - C:\Program Files\IBM Toolbar\toolbar.dll
O3 - Toolbar: The nssfrch - {7D61C1B5-86AF-439F-9ACF-D19FDB5F55CC} - C:\WINDOWS\nssfrch.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [QCWLICON] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe
O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [borfgvtp] D;]XJOEPXT]tztufn43]Svoemm43/fyf!#D;]XJOEPXT]tztufn43]deoqsi/emm#-Tubsu
O4 - HKLM\..\Run: [SysTdSvr] C:\WINDOWS\system32\Rundll32.exe "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKLM\..\Run: [Sysmppcv] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DownloadGrid] C:\Program Files\IBM\Java142\jre\javaws\javaws.exe http://downloadgrid.webahead.ibm.com/DownloadGridAppletWrapper/client/JNLPWrapper
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 使用iTudou下载节目 - C:\Program Files\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: D?à?UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} - C:\Program Files\sina\UC\uc.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {448A5F6B-8C03-4B54-A338-F00237C508AD} (WEBChatRoomOCX Control) - http://www.51uc.com/cab/WEBChatRoom_1_51.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = IBM.COM,
O17 - HKLM\System\CS1\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = IBM.COM,
O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll
O21 - SSODL: bxsbang - {F82BF1F4-B4E9-41EF-AD68-7D330E8F1491} - C:\WINDOWS\bxsbang.dll
O21 - SSODL: ocgrep - {ECF2CF6A-8CE6-4FDD-86F2-BFE6FD8F72AB} - C:\WINDOWS\ocgrep.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Mobility Client (ArtourService) - Unknown owner - C:\Program Files\IBM\Mobility Client\artsvc.exe
O23 - Service: IBM Mobility Client Start Utility (artstartsvc) - Unknown owner - C:\Program Files\IBM\Mobility Client\artstartsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\progra~1\c4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: Indexing Data (lDOMANE) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Creative VF0250 RunApp Service (V0250Srv) - Creative Technology Ltd. - C:\PROGRA~1\Creative\V0250Srv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 15077 bytes
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi, Welcome to TSG!!

The P2P programs you have installed expose you to risks because of the nature of the P2P file sharing process. File sharing/P2P programs rely on members giving and gaining unrestricted access to computers across the P2P network. This practice can make you vulnerable to data and identity theft. It also exposes you to very malicious worms and trojans. You change those risky default settings to a safer configuration but the act of downloading files from an anonymous source greatly increases your exposure to infection.


Please download (save) SmitfraudFix (by S!Ri) to your desktop. SmitfraudFix runs under W2K, XP only.

Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
to a new folder called SmitfraudFix.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

libcal

Thread Starter
Joined
Oct 31, 2007
Messages
4
cybertech said:
Hi, Welcome to TSG!!

The P2P programs you have installed expose you to risks because of the nature of the P2P file sharing process. File sharing/P2P programs rely on members giving and gaining unrestricted access to computers across the P2P network. This practice can make you vulnerable to data and identity theft. It also exposes you to very malicious worms and trojans. You change those risky default settings to a safer configuration but the act of downloading files from an anonymous source greatly increases your exposure to infection.


Please download (save) SmitfraudFix (by S!Ri) to your desktop. SmitfraudFix runs under W2K, XP only.

Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
to a new folder called SmitfraudFix.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Thanks for the help! Below is the result of the search. My system language is Chinese
so there might be some encoding issues.

SmitFraudFix v2.246

Scan done at 17:19:22.99, 11/01/2007 Thu
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

换换换换换换换换换换换换 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Mobility Client\artstartsvc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\progra~1\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Java\jre1.5.0_08\bin\javaw.exe
C:\notes\ntmulti.exe
C:\WINDOWS\System32\QCONSVC.EXE
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\notes\NLNOTES.EXE
C:\Program Files\IBM\Mobility Client\artcore.exe
C:\Program Files\IBM\Mobility Client\artifdown.exe
C:\notes\ntaskldr.EXE
C:\Program Files\IBM\WID602\eclipse\eclipse.exe
C:\Program Files\IBM\WID602\eclipse\jre\bin\javaw.exe
C:\WINDOWS\system32\calc.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\WINDOWS\system32\cmd.exe

换换换换换换换换换换换换 hosts


换换换换换换换换换换换换 C:\


换换换换换换换换换换换换 C:\WINDOWS

C:\WINDOWS\bxsbang.dll FOUND !
C:\WINDOWS\kthemup.exe FOUND !
C:\WINDOWS\movctrlwxq.dll FOUND !
C:\WINDOWS\nssfrch.dll FOUND !
C:\WINDOWS\ocgrep.dll FOUND !

换换换换换换换换换换换换 C:\WINDOWS\system


换换换换换换换换换换换换 C:\WINDOWS\Web


换换换换换换换换换换换换 C:\WINDOWS\system32


换换换换换换换换换换换换 C:\Documents and Settings\Administrator


换换换换换换换换换换换换 C:\Documents and Settings\Administrator\Application Data


换换换换换换换换换换换换 Start Menu


换换换换换换换换换换换换


换换换换换换换换换换换换 Desktop


换换换换换换换换换换换换 C:\Program Files


换换换换换换换换换换换换 Corrupted keys


换换换换换换换换换换换换 Desktop Components



换换换换换换换换换换换换 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\Manager.dll"


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 Rustock



换换换换换换换换换换换换 DNS

Description: 11a/b/g Wireless LAN Mini PCI Adapter
DNS Server Search Order: 192.168.0.1

Description: IBM Mobility Client Virtual Adapter
DNS Server Search Order: 9.0.9.1
DNS Server Search Order: 9.0.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D1EAEC50-E950-4382-9A06-61E8C4D3782A}: DhcpNameServer=9.0.9.1 9.0.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{833A38E2-6A00-426C-A414-7989FF2079C3}: NameServer=鹈g
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D1EAEC50-E950-4382-9A06-61E8C4D3782A}: DhcpNameServer=9.0.9.1 9.0.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{833A38E2-6A00-426C-A414-7989FF2079C3}: NameServer=鹈g
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


换换换换换换换换换换换换 Scanning for wininet.dll infection


换换换换换换换换换换换换 End
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.



Please post the C:\rapport.txt and a new HJT log in your next reply.
 

libcal

Thread Starter
Joined
Oct 31, 2007
Messages
4
Thanks cybertech!

Here is the result of running option #2. One thing I'm not sure about is that after the cleaning and restart of my computer I still got a pop up window: "Windows can't find
C:/Windows/System32/SystdSvr.dll". Not sure if something is trying to load this dll?

Appreciate your help a lot!

---------------------
SmitFraudFix v2.246

Scan done at 12:23:06.97, 11/02/2007 Fri
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

换换换换换换换换换换换换 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

换换换换换换换换换换换换 Killing process


换换换换换换换换换换换换 hosts

127.0.0.1 localhost

换换换换换换换换换换换换 Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


换换换换换换换换换换换换 Generic Renos Fix

GenericRenosFix by S!Ri


换换换换换换换换换换换换 Deleting infected files

C:\WINDOWS\bxsbang.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{F82BF1F4-B4E9-41EF-AD68-7D330E8F1491}]
C:\WINDOWS\kthemup.exe Deleted
C:\WINDOWS\movctrlwxq.dll Deleted
C:\WINDOWS\nssfrch.dll Deleted
C:\WINDOWS\ocgrep.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{ECF2CF6A-8CE6-4FDD-86F2-BFE6FD8F72AB}]

换换换换换换换换换换换换 DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: DhcpNameServer=192.168.0.1


换换换换换换换换换换换换 Deleting Temp Files


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 Registry Cleaning

Registry Cleaning done.

换换换换换换换换换换换换 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 End
 

libcal

Thread Starter
Joined
Oct 31, 2007
Messages
4
I removed(hopefully) the systdsrv.dll with Hijackthis. Not sure if there's anything else in
the system. Here is the log file. Thanks a lot for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:12 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Mobility Client\artstartsvc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\progra~1\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Java\jre1.5.0_08\bin\javaw.exe
C:\notes\ntmulti.exe
C:\WINDOWS\System32\QCONSVC.EXE
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\progra~1\c4ebreg\isamtray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\V0250Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\IBM\Mobility Client\artcore.exe
C:\Program Files\IBM\Mobility Client\artifdown.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IBM\Mobility Client\artbcast.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\Program Files\IBM\WID602\eclipse\eclipse.exe
C:\Program Files\IBM\WID602\eclipse\jre\bin\javaw.exe
C:\hijackthis\HiJackThis.exe

O1 - Hosts: 9.43.32.156 robert-zpro.ibm.com robert-zpro
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: TBSB06559 - {5E65C12C-D4DE-4FBA-B548-4DF4E5F78819} - C:\PROGRA~1\IBMTOO~1\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: IBM Toolbar - {83DC8BD3-AB6C-4E32-BF78-40F1200D598E} - C:\Program Files\IBM Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [QCWLICON] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe
O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DownloadGrid] C:\Program Files\IBM\Java142\jre\javaws\javaws.exe http://downloadgrid.webahead.ibm.com/DownloadGridAppletWrapper/client/JNLPWrapper
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 使用iTudou下载节目 - C:\Program Files\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: D?à?UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} - C:\Program Files\sina\UC\uc.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {448A5F6B-8C03-4B54-A338-F00237C508AD} (WEBChatRoomOCX Control) - http://www.51uc.com/cab/WEBChatRoom_1_51.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = IBM.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{080CA878-69C8-4EF0-A7D8-2C6B5C6BE9B0}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = IBM.COM
O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Mobility Client (ArtourService) - Unknown owner - C:\Program Files\IBM\Mobility Client\artsvc.exe
O23 - Service: IBM Mobility Client Start Utility (artstartsvc) - Unknown owner - C:\Program Files\IBM\Mobility Client\artstartsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\progra~1\c4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: Indexing Data (lDOMANE) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Creative VF0250 RunApp Service (V0250Srv) - Creative Technology Ltd. - C:\PROGRA~1\Creative\V0250Srv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 15012 bytes
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
You should remove BitTorrent.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. This is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 update 3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top