Hijack This Log , Please help to remove sheriff spy

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.
M

minifunny

Thread Starter
Joined
Jul 1, 2005
Messages
10
Hi, the following is my HJT log. My OS is Windows XP 2002 Chinese Edition.




Logfile of HijackThis v1.99.1
Scan saved at 上午 12:35:18, on 2005/7/2
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\eeadl.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\System32\r0mio9sq.exe
C:\Program Files\Qhnphw\Clahyr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\ICQ\icq.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\sctt\eeso.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack this\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: (no name) - {E74432F0-2916-079C-3196-0A3F987B54B4} - C:\WINDOWS\System32\CDM\qgfuswwdfd.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [PNa7RVAmB] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [婩?&Oc/Nqg{8] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [?W?&#22421;?\&#34914;&#39891;<&#24727;C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe
O4 - HKLM\..\Run: [:ylC&#36840;?&#38724;? ?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [$?&#24480;K?$}&#32185;?E&#20597;?&#36968;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#58512;?&#58176;?Rh&#31988;&#33785;&#38267;?aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#37460;$~g?9{&#24486;&#36662; A\&#33839;&#58760;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\system32\services\wmplayer.exe
O4 - HKLM\..\Run: [n?&#36577;&#21344;N??<i?~&#32023;C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#39999;??&#60791;&#30288;?q&#31123;&#59935;?&#59545;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [r0mio9sq] C:\WINDOWS\System32\r0mio9sq.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SVCHOST.EXE
O4 - HKLM\..\Run: [<?-sDW&#60904;?=)\&#62405;W&#24686;C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [Wrameh] C:\Program Files\Qhnphw\Clahyr.exe
O4 - HKLM\..\Run: [({V/&#24820;[&#32370;./&#128;.,BO~C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [MW.&#57719;&#24524;&#59733;!&#33029;
kv'&#30556;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [&#22276;9<&#62392;&#26955;&#20520;AR?f??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [&#35145;?yC&#58030;?&#36577;&#21344;N??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [q??&#37812;] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SECURITY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\icq.exe -minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Atpi] C:\Program Files\sctt\eeso.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {42BCE7C0-5E2B-11D7-8D51-0006291EDF61} (SendOrder Class) - https://trade.tsc.com.tw/ebroker/axebroker.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (&#36264;&#21218;&#31185;&#25216;&#32218;&#19978;&#25475;&#27602;&#31243;&#24335;) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4600
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt03.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DBFB1725-E5BD-43A1-9C18-9F7B054793E0} (SendOrder Class) - https://trade.tsc.com.tw/ebroker/axebroker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBAA80A3-9443-41DD-B967-3B394DDF9403}: NameServer = 140.123.106.13,140.123.1.2
O20 - AppInit_DLLs: 6jj1jf8kumi32sll.dll.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Secuirity Systems - {B73F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wsaln.dll
O21 - SSODL: System - {7697BF8F-508B-4C09-ADEB-A698FAA989D2} - vr_sys.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
K

khazars

Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.

Run the istbar removal !

Removal using the Adware.Istbar Removal Tool istsvc.exe

http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html


http://securityresponse.symantec.com/avcenter/FxIstbar.exe



Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php




Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.



* Click here to download smitRem.zip.



http://castlecops.com/zx/flrman1/smitRem.zip




* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



* Go here to download CCleaner.


http://www.ccleaner.com/


* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.




* Download the trial version of Ewido Security Suite.



http://www.ewido.net/en/


* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



* Click here for info on how to boot to safe mode if you don't already know how.


http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"



R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: (no name) - {E74432F0-2916-079C-3196-0A3F987B54B4} - C:\WINDOWS\System32\CDM\qgfuswwdfd.dll
O4 - HKLM\..\Run: [PNa7RVAmB] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#59925;&#23145;?&Oc/Nqg{8] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [?W?&#22421;?\&#34914;&#39891;<&#24727;C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe
O4 - HKLM\..\Run: [:ylC&#36840;?&#38724;? ?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [$?&#24480;K?$}&#32185;?E&#20597;?&#36968;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#58512;?&#58176;?Rh&#31988;&#33785;&#38267;?aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#37460;$~g?9{&#24486;&#36662; A\&#33839;&#58760;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\system32\services\wmplayer.exe
O4 - HKLM\..\Run: [n?&#36577;&#21344;N??<i?~&#32023;C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#39999;??&#60791;&#30288;?q&#31123;&#59935;?&#59545;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [r0mio9sq] C:\WINDOWS\System32\r0mio9sq.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SVCHOST.EXE
O4 - HKLM\..\Run: [<?-sDW&#60904;?=)\&#62405;W&#24686;C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [Wrameh] C:\Program Files\Qhnphw\Clahyr.exe
O4 - HKLM\..\Run: [({V/&#24820;[&#32370;./€.,BO~C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [MW.&#57719;&#24524;&#59733;!&#33029;
kv'&#30556;:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#22276;9<&#62392;&#26955;&#20520;AR?f??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [&#35145;?yC&#58030;?&#36577;&#21344;N??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\eeadl.exe
O4 - HKLM\..\Run: [q??&#37812;] C:\WINDOWS\eeadl.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Atpi] C:\Program Files\sctt\eeso.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {42BCE7C0-5E2B-11D7-8D51-0006291EDF61} (SendOrder Class) - https://trade.tsc.com.tw/ebroker/axebroker.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (&#36264;&#21218;&#31185;&#25216;&#32218;&#19978;&#25475;&#27602;&#31243;&#24335 - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTic....cab?refid=4600
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/m...pdownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt03.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DBFB1725-E5BD-43A1-9C18-9F7B054793E0} (SendOrder Class) - https://trade.tsc.com.tw/ebroker/axebroker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBAA80A3-9443-41DD-B967-3B394DDF9403}: NameServer = 140.123.106.13,140.123.1.2
O20 - AppInit_DLLs: 6jj1jf8kumi32sll.dll.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Secuirity Systems - {B73F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wsaln.dll
O21 - SSODL: System - {7697BF8F-508B-4C09-ADEB-A698FAA989D2} - vr_sys.dll (file




Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINDOWS\nem220.dll
C:\WINDOWS\ceres.dll
C:\WINDOWS\wsem303.dll
C:\WINDOWS\System32\CDM\qgfuswwdfd.dll
C:\WINDOWS\System32\msvcrtid.exe
C:\WINDOWS\eeadl.exe
C:\WINDOWS\dnscleaner.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
C:\WINDOWS\System32\r0mio9sq.exe
C:\Program Files\Qhnphw\Clahyr.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\winstall.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\sctt\eeso.exe
C:\Program Files\SpySheriff\SpySheriff.exe


Exit the Killbox.


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:

* Click on scanner
* Put a check by the following before you scan:
o Binder
o Crypter
o Archives
* Click the Start Scan button to start the scan.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop



* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then
click the "Reset Web Settings" button. Click Apply then OK.



* Next go to Control Panel > Display. Click on the "Desktop" tab then click
the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
should see an entry checked called something like "Security info" or similar.
If it is there, select that entry and click the "Delete" button. Click OK
then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here


http://www.pandasoftware.com/activescan/


When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs
 
Flrman1

Flrman1

Joined
Jul 26, 2002
Messages
46,353
These do not need to be fixed:

O17 - HKLM\System\CCS\Services\Tcpip\..\{DBAA80A3-9443-41DD-B967-3B394DDF9403}: NameServer = 140.123.106.13,140.123.1.2

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

You may even lose the ability to connect to the internet if you fix that O17 entry.
 
K

khazars

Joined
Feb 15, 2004
Messages
12,302
why is that 017 showing up anyway, it doesn't in mine, is it because I have a router and proxies running?
 
M

minifunny

Thread Starter
Joined
Jul 1, 2005
Messages
10
Thanks you guys, I've just finished all the steps. The following are the updated reports:

HiJack This log

Logfile of HijackThis v1.99.1
Scan saved at &#19979;&#21320; 01:50:22, on 2005/7/2
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQ\icq.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
L:\&#31227;&#38500;SpyWare\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &#25910;&#38899;&#27231;(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SECURITY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\icq.exe -minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java &#20027;&#25511;&#21488; - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
M

minifunny

Thread Starter
Joined
Jul 1, 2005
Messages
10
ewido report:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: &#19978;&#21320; 04:26:56, 2005/7/2
+ Report-Checksum: 799E6D2B

+ Date of database: 2005/7/1
+ Version of scan engine: v3.0

+ Duration: 43 min
+ Scanned Files: 100143
+ Speed: 38.52 Files/Second
+ Infected files: 96
+ Removed files: 96
+ Files put in quarantine: 96
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.ka -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000574.exe -> TrojanDownloader.Small.rr -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000656.dll -> TrojanDownloader.IstBar.ge -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000660.EXE -> Spyware.PowerScan -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000661.dll -> Spyware.SideFind -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000663.dll -> Spyware.SideFind -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000664.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000677.exe -> Spyware.WebRebates.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000699.dat -> Spyware.TopMoxie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000701.dat -> Spyware.TopMoxie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000714.EXE -> Spyware.WebRebates.d -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000715.EXE -> Spyware.WebRebates.d -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000881.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00000883.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00001049.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00001051.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00001171.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00001173.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00001335.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00001337.exe -> TrojanDownloader.TSUpdate.g -> Cleaned with backup
C:\slinstaller.exe -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\sys.exe -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnTW1862.exe -> TrojanDownloader.Small.ayl -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnTW1862.exe -> TrojanDownloader.Small.ayl -> Cleaned with backup
C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\oclp2pfe.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.dk -> Cleaned with backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINDOWS\sys1145.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys1147.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys1148.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys2123.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys2124.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys2128.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys2129.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys2131.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys2133.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\system32\103625.exe -> Spyware.Small.dm -> Cleaned with backup
C:\WINDOWS\system32\11791562.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\1440406.exe -> Spyware.Small.dm -> Cleaned with backup
C:\WINDOWS\system32\1qgr41e8.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\307156.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\3848625.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\3jgvdue7.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\671843.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\72531.exe -> Spyware.Small.dm -> Cleaned with backup
C:\WINDOWS\system32\9gvy4j65gti.dll -> TrojanDownloader.Small.rr -> Cleaned with backup
C:\WINDOWS\system32\afrysrd.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\CDM\qgfuswwdfd.exe -> Spyware.SmartPops -> Cleaned with backup
C:\WINDOWS\system32\clmnizr.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\egtdoit.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\enivuvw.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\euckhwy.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\hlczayg.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\ikyybfi.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\imsxcvs.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\iuztvzp.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\lmeewpv.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\locallpr.exe -> TrojanProxy.Delf.m -> Cleaned with backup
C:\WINDOWS\system32\maxd.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\msievc.exe -> TrojanProxy.Delf.m -> Cleaned with backup
C:\WINDOWS\system32\mtuwccy.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\mwpdmwl.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\MyIE.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\ngsxjry.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\qaludgr.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\qxtpxsj.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\services\ddef.exe -> Trojan.Favadd.c -> Cleaned with backup
C:\WINDOWS\system32\services\eeewd3de.exe -> TrojanDownloader.Apher -> Cleaned with backup
C:\WINDOWS\system32\services\links.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\services\putfddes.exe -> TrojanDropper.Zdesnado.a -> Cleaned with backup
C:\WINDOWS\system32\services\{5128942E-2499-486A-879D-B9DC0D11A445}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{5128942E-2499-486A-879D-B9DC0D11A445}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\services\{7151A823-CBB2-4F79-BA41-1DABE9AC3731}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{7151A823-CBB2-4F79-BA41-1DABE9AC3731}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SECURITY.DLL -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\services\{B054C2A3-EE0D-4459-8426-2192EC9EA553}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{B054C2A3-EE0D-4459-8426-2192EC9EA553}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\services\{CBD5C978-DDC2-401E-8979-8E6A0A294818}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{CBD5C978-DDC2-401E-8979-8E6A0A294818}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\services\{E54666F2-7DDD-4D48-B6AA-4D93A1383B79}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{E54666F2-7DDD-4D48-B6AA-4D93A1383B79}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\services\{EA9DB42B-C539-4114-B30C-103F7EC7BB79}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\services\{EA9DB42B-C539-4114-B30C-103F7EC7BB79}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\thn32.dll -> TrojanProxy.Small.bk -> Cleaned with backup
C:\WINDOWS\system32\tzfxkkb.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\umdyryb.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> Trojan.LowZones.y -> Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl -> Cleaned with backup
C:\WINDOWS\system32\xhwvlnu.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\zfuwtnk.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\system32\~update.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\WINDOWS\thin-114-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\uelgwn.exe -> TrojanDownloader.IstBar.go -> Cleaned with backup


::Report End
 
M

minifunny

Thread Starter
Joined
Jul 1, 2005
Messages
10
Active Scan report [ Part 1/2]

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\kofamily\Favorites\! Smart Security.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\kofamily\Favorites\Forbidden Conversations.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\kofamily\Favorites\Forced Sex.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\kofamily\Favorites\online casino.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\kofamily\Favorites\online dating.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\kofamily\Favorites\Search the web.url
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\kofamily\Favorites\WeirdOnTheWeb.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\kofamily\Favorites\Young Preteen Models.url
Adware:Adware/SpySheriff No disinfected C:\Documents and Settings\kofamily\&#26700;&#38754;\SpySheriff.lnk
Adware:Adware/SuperSpider No disinfected C:\m.exe
Adware:Adware/Startpage.ID No disinfected C:\msdos.exe
Adware:Adware/SuperSpider No disinfected C:\mssys.com
Adware:Adware/SuperSpider No disinfected C:\p.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\rainbow\classify.dll
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsuninst.exe
Adware:Adware/SuperSpider No disinfected C:\Program Files\q330994.exe
Adware:Adware/SuperSpider No disinfected C:\q.exe
Adware:Adware/SuperSpider No disinfected C:\q250204.exe
Adware:Adware/Sqwire No disinfected C:\RECYCLER\NPROTECT\00000879.exe
Adware:Adware/Sqwire No disinfected C:\RECYCLER\NPROTECT\00001047.exe
Adware:Adware/Sqwire No disinfected C:\RECYCLER\NPROTECT\00001169.exe
Adware:Adware/Sqwire No disinfected C:\RECYCLER\NPROTECT\00001333.exe
Adware:Adware/SuperSpider No disinfected C:\soundmx.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\cvchost.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\dl.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\dlm.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\LastGood\INF\ceres.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\LastGood\INF\ceres.PNF
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msstasks.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mssys.com
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mstaskss.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\reg33.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\rocky.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\runwin32.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\seksdialer.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\ssico.ico
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system\wmscrop.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system.exe
Possible Virus. No disinfected C:\WINDOWS\system32\135328.exe
Possible Virus. No disinfected C:\WINDOWS\system32\3844140.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\a.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\boosnrm.exe
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\system32\bridge.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\d2kpax.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\d2kpax.exe
Adware:Adware/Nowfind No disinfected C:\WINDOWS\system32\hst32.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\jac.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\mcc.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\msxslab.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\sy
 
M

minifunny

Thread Starter
Joined
Jul 1, 2005
Messages
10
Active Scan Report [Part 2/2]

Adware:Adware/Craft No disinfected C:\WINDOWS\system32\trf32.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Adware:Adware/Nowfind No disinfected C:\WINDOWS\system32\wcnl32.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\winproc32.exe
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\wininet32.exe
Adware:Adware/SuperSpider No disinfected C:\winspec.dat
Adware:Adware/SuperSpider No disinfected C:\x.exe
Adware:Adware/SuperSpider No disinfected C:\y.exe
Adware:Adware/Gator No disinfected G:\Program Files\Common Files\GMT\GMT.exe
Adware:Adware/Gator No disinfected G:\Program Files\Common Files\CMEII\CMEUpd.exe
Adware:Adware/Gator No disinfected G:\Program Files\Common Files\CMEII\GIocl.dll
Adware:Adware/Gator No disinfected G:\Program Files\Common Files\CMEII\GIoclClient.dll
Adware:Adware/Gator No disinfected G:\Program Files\Common Files\CMEII\GStore.dll
Adware:Adware/Gator No disinfected G:\Program Files\Common Files\CMEII\GStoreServer.dll
Virus:W32/PrettyPark Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Trash[Pretty Park.exe]
Virus:W32/Disemboweler Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Trash[CFGWIZ32.EXE]
Virus:W32/Fbound.C Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Trash[patch.exe]
Virus:Trj/Nuke.B Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Sent[nukevirus.zip][NuKe.exe]
Virus:Trj/Nuke.B Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Sent[NuKe.exe]
Virus:W32/Happy Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[~001052.@x@][Happy99.exe]
Virus:W32/PrettyPark Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[Pretty Park.exe]
Virus:W95/CIH Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[bbq.exe]
Virus:W32/Myparty@MM Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[~004907.@x@][www.myparty.yahoo.com]
Virus:W32/Fbound.C Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[patch.exe]
Virus:Exploit/iFrame Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[~005760.txt]
Virus:W32/Klez.I Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[width.exe]
Virus:Exploit/iFrame Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[~005766.txt]
Virus:W32/Klez.I Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[STYLE.pif]
Virus:W32/Klez.I Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[Gb.exe]
Virus:Exploit/iFrame Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[~005797.txt]
Virus:W32/Klez.I Disinfected G:\Program Files\Netscape\Users\liwei\Mail\Inbox[width.bat]
Possible Virus. No disinfected G:\unzipped\hjsplit\hjsplit.exe
Virus:Trj/FDoS.ICMPbomb Disinfected J:\&#19979;&#36617;\&#38620;&#19971;&#38620;&#20843;\icmpvirus.zip[Icmp.exe]
Virus:Trj/FDoS.ICMPbomb Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\icmpvirus.zip[Icmp.exe]
Virus:Trj/Nukem Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\Nuke_em.zip[Nuke'eM.exe]
Virus:Trj/Nuke.B Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\nukevirus.zip[NuKe.exe]
Virus:Trj/Genocid Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\wingenocide.zip[WinGenocide.exe]
Virus:Trojan Horse Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\icq&#25915;&#25802;.zip[IFQ.exe]
Virus:Trj/ICQ.Clt Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\icqt&#20837;&#20405;&#30828;&#30879;.zip[icqclient.exe]
Virus:Trj/ICQ Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\icqt&#20837;&#20405;&#30828;&#30879;.zip[icqtrogen.exe]
Virus:Backdoor Program.LC Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\netspynew.zip[NetMonitor.exe]
Virus:Bck/NetSpy.10.A Disinfected J:\&#19979;&#36617;\&#24037;&#20855;&#31243;&#24335;\Tools\acttack\netspynew.zip[999.exe]
Possible Virus. No disinfected K:\&#38620;&#19971;&#38620;\hjsplit.zip[hjsplit.exe]
 
K

khazars

Joined
Feb 15, 2004
Messages
12,302
go to add/remove and uninstall inyternet optimizer and spysheriff if there.


have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k



Click here: http://cwshredder.net/bin/CWSInstall.exe to download
CWSinstall.exe to the desktop.


Click: http://www.downloads.subratam.org/AboutBuster.zip to download
AboutBuster created by Rubber Ducky.


Unzip AboutBuster to the Desktop then click the "Update Button" then click
"Check for Update" and download the updates. then click "Exit" because I
don't want you to run it yet. Just get the updates so it is ready to run
later in safe mode.




use the killbox on these. This is all the leftovers, you had one very badly infected computer, but we're nearly there now!


* Click here for info on how to boot to safe mode if you don't already know how.


http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:




Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.




C:\WINDOWS\System32\msvcrtid.exe
C:\m.exe
C:\msdos.exe
C:\mssys.com
C:\p.exe
C:\Program Files\Common Files\tsa\rainbow\classify.dll
C:\Program Files\Common Files\tsa\tsuninst.exe
C:\Program Files\q330994.exe
C:\q.exe
C:\q250204.exe
C:\RECYCLER\NPROTECT\00000879.exe
C:\RECYCLER\NPROTECT\00001047.exe
C:\RECYCLER\NPROTECT\00001169.exe
C:\RECYCLER\NPROTECT\00001333.exe
C:\soundmx.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\inf\ceres.inf
C:\WINDOWS\LastGood\INF\ceres.inf
C:\WINDOWS\LastGood\INF\ceres.PNF
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\ssico.ico
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system.exe
C:\WINDOWS\system32\135328.exe
C:\WINDOWS\system32\3844140.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\boosnrm.exe
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\hst32.dll
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\mcc.exe
C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\sy
C:\WINDOWS\system32\trf32.dll
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wcnl32.dll
C:\WINDOWS\system32\winproc32.exe
C:\WINDOWS\weirdontheweb_topc.exe
C:\WINDOWS\wininet32.exe
C:\winspec.dat
C:\x.exe
C:\y.exe
G:\Program Files\Common Files\GMT\GMT.exe
G:\Program Files\Common Files\CMEII\CMEUpd.exe
G:\Program Files\Common Files\CMEII\GIocl.dll
G:\Program Files\Common Files\CMEII\GIoclClient.dll
G:\Program Files\Common Files\CMEII\GStore.dll
G:\Program Files\Common Files\CMEII\GStoreServer.dll
G:\Program Files\Netscape\Users\liwei\Mail\Trash[Pretty Park.exe]
K:\&#38620;&#19971;&#38620;\hjsplit.zip[hjsplit.exe]


Exit the Killbox.



find and delete these folders if there and the urls.


C:\Program Files\Internet Optimizer
C:\Program Files\ISTsvc
C:\Program Files\SpySheriff
C:\Documents and Settings\kofamily\Favorites\! Smart Security.url
C:\Documents and Settings\kofamily\Favorites\Forbidden Conversations.url
C:\Documents and Settings\kofamily\Favorites\Forced Sex.url
C:\Documents and Settings\kofamily\Favorites\online casino.url
C:\Documents and Settings\kofamily\Favorites\online dating.url
C:\Documents and Settings\kofamily\Favorites\Search the web.url
C:\Documents and Settings\kofamily\Favorites\WeirdOnTheWeb.url
C:\Documents and Settings\kofamily\Favorites\Young Preteen Models.url
C:\Documents and Settings\kofamily\&#26700;&#38754;\SpySheriff.lnk

G:\Program Files\Common Files\GMT\ delete --->gmt
G:\Program Files\Common Files\CMEII delete ---> cme11



navigate to the C:\Windows\Temp folder. Open the Temp folder and
go to Edit > Select All then Edit > Delete to delete the entire contents of
the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open.
Click Edit > Select All then Edit > Delete to delete the entire contents of
the Temp folder.


Finally go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a check by "Delete
Offline Content" and click OK. Click on the Programs tab then click the
"Reset Web Settings" button. Click Apply then OK.


empty your recycle bin



Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start,
then click OK. This will scan your computer for the bad files and delete them.


Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix"
(Not "Scan only") and let it do its thing.




Now run ccleaner.


post another hijack this log
 
K

khazars

Joined
Feb 15, 2004
Messages
12,302
Open hijack this, click "view list of backups", select these 2 entries I had you delete earlier by ticking their boxes,

O17-HKLM\System\CCS\Services\Tcpip\..\{DBAA80A3-9443-41DD-B967-3B394DDF9403}: NameServer = 140.123.106.13,140.123.1.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll


and in the right hand pane select RESTORE.

Exit hijack this
 
M

minifunny

Thread Starter
Joined
Jul 1, 2005
Messages
10
Done!
Thanks your help!! However, I skipped AboutBuster and CWShredder because when I ran those program, some error messages appeared. Does it matter?
How can I make sure my computer is now clean? The following is the newest HJT log.

Best rgds,
========================================================
Logfile of HijackThis v1.99.1
Scan saved at &#19979;&#21320; 11:57:42, on 2005/7/2
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\ICQ\icq.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wuauclt.exe
L:\&#31227;&#38500;SpyWare\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &#25910;&#38899;&#27231;(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{77BCA084-57D8-4F4E-A3B9-8761C7C71538}\SECURITY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\icq.exe -minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java &#20027;&#25511;&#21488; - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBAA80A3-9443-41DD-B967-3B394DDF9403}: NameServer = 140.123.106.13,140.123.1.2
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Total: 367 (members: 12, guests: 355)
Top