Need Expert To Check Highjackthis Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

gsui

Thread Starter
Joined
Jan 25, 2005
Messages
4
Hi, Rollin' Rog,

Could you help me to check my highjack log and give me some advice? Many thanks!!!

Logfile of HijackThis v1.99.0
Scan saved at 4:10:15 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Common Files\KingSoft\KSG\client.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GUANGC~1.HAR\LOCALS~1\Temp\Rar$EX00.716\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.countway.med.harvard.edu/"); (C:\Documents and Settings\Guangchao\Application Data\Mozilla\Profiles\default\ee75ogfx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Guangchao\Application Data\Mozilla\Profiles\default\ee75ogfx.slt\prefs.js)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IPWD] C:\WINDOWS\IPWD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\System32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [KsgUpdateRun] C:\Program Files\Common Files\KingSoft\KSG\client.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Heroplayer Online - C:\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: hero player - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra 'Tools' menuitem: hero player - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: °Ù¶ÈËÑË÷°é - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!IESearch] !IESearch
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O20 - AppInit_DLLs: 58p2fs7ehr84fydll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
 
Joined
Dec 9, 2000
Messages
45,855
gsui. Welcome to TSG. I've split your piggybacked post off to its own thread.While I'll be happy to help you there are many on the Security forum who can assist as well, and you should always start a new topic for a problem.

Start by doing the following:

>> download, install, update and run a full AVG scan. You can use the free version. This has reported success with this particular infection and if the files are resistant or hidden we may have better luck on future efforts. Have it delete or quarantine anything it finds infected.

You should probably disable your Symantec antivirus program while scanning with AVG

http://www.grisoft.com/us/us_dwnl_free.php

Please download, unzip and have available:

http://www.downloads.subratam.org/KillBox.zip

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

If HijackThis has not been downloaded or copied to a permanent folder, move it there before beginning. *yours has not!

Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.intermute.com/spysubtract/cwshredder_download.html

Then:

1 >> Restart in Safe Mode. Instructions here if you need them:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


and run HijackThis and check and "fix" the following entries:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O11 - Options group: [!IESearch] !IESearch

If any entries such as this show up in the scanlog, delete them:

- HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://[b]win-eto.com[/b]/hp.htm?id=31403

>> Go To start > Run, enter regedit

and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

In the Right Hand pane you will see a Value Name: AppInit_DLLs

Double click that and completly blank out the "value data" in the edit string and click "OK"

>> Next run the coolwebshredder again and have it fix anything it detects

>> >> run "killbox.exe" and copy/paste the following line into the "file to be deleted" path:

C:\WINDOWS\system32\58p2fs7ehr84fydll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll

> check "end explorer shell" and "delete on reboot". Press the red button with the X. Have everything else closed before you confirm the prompt to reboot.

Once you have rebooted and connected, create and post a new HijackThis scanlog.
 

gsui

Thread Starter
Joined
Jan 25, 2005
Messages
4
Many thanks, Rollin' Rog. I did what you suggested and here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 4:06:37 PM, on 1/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\KingSoft\KSG\client.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\00-Sui\000000\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.med.harvard.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.countway.med.harvard.edu/"); (C:\Documents and Settings\Guangchao\Application Data\Mozilla\Profiles\default\ee75ogfx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Guangchao\Application Data\Mozilla\Profiles\default\ee75ogfx.slt\prefs.js)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IPWD] C:\WINDOWS\IPWD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\System32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KsgUpdateRun] C:\Program Files\Common Files\KingSoft\KSG\client.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Heroplayer Online - C:\HEROSOFT\Hero3000\MPURLGET.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: hero player - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra 'Tools' menuitem: hero player - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: °Ù¶ÈËÑË÷°é - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)



More info:

Dear Rollin’ Rog,

Thank you for your help. Actually, my problem is quite strange and it is related to my webmail. https://email.med.harvard.edu/exchange/

Long time ago, I found that when I wanted to reply an e-mail, I clicked on “reply” and then a new windows popped up. However, the original message from that sender (or the person to whom I was going to reply) did not show up automatically. I still have this problem now. However, two things are interesting: (1) this only happens when I connect this computer to the high speed internet in the lab. When I connect it to NetZero (dialup system, slow) at home, it is ok (the original message shows up). (2) When I use other computers in the lab that are connected to internet with high speed, it is also OK.

Just now, I followed your instructions step by step. After that, when I started internet explorer, the “iexplore.exe” does not use 99% CPU. The problem seemed to have been solved. However, when I tried to send an e-mail and click on the “To…” button to find the person’s e-mail address, the computer became frozen and I could see that the “iexplore.exe” used 99% CPU again. It took very very long time for me to terminate the IE program. This phenomenon started several days ago. However, when I used other computers in the lab, I don’t have this problem. I guess maybe the IE program is having problem. I asked the computer person in our department, but he doesn’t have any clue.

I am using Dell Inspiron 8500 laptop. The computer is 1.5 years old.

Sorry to bother you again.

gsui
 
Joined
Dec 9, 2000
Messages
45,855
Long time ago, I found that when I wanted to reply an e-mail, I clicked on ?reply? and then a new windows popped up. However, the original message from that sender (or the person to whom I was going to reply) did not show up automatically.
I'm not sure what is involved here; I find I don't see original messages from certain folks who email me and I do from others; but this has always been the behavior at Hotmail. You are probably best off with a post in Web and Email for this, especially if it is an "Outlook Express" problem. I don't think it's a "security" issue.

You might also test this behavior by doing a "clean boot" (MS instructions below) or by creating a second User Account and try connecting IE through that.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353



You've done good work on following the instructions. But, whoops, I apparently overlooked this:

O4 - HKLM\..\Run: [IPWD] C:\WINDOWS\IPWD.exe

I don't know what it is, if you don't either, check and fix it, and see if the file is present and if it is, delete it after a reboot. It doesn't show as a running process.

And this needs to go as well:

O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)


This can be checked and "fixed" in the Scanlog though I don't think its a source of any remaining problem:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

I take it you are not having any problems with Netscape?

I was going to recommend that you run the IE Repair tool, but this is not available in XPSp2. Did this particular problem precede or follow that install?
 

gsui

Thread Starter
Joined
Jan 25, 2005
Messages
4
Hi, Rollin' Rog,

Thank you for your help.

I removed the three additional items you suggested and did the "clean boot" procedure but it doesn't help with my problem. I think I just give up for the time being and don't try it now because it takes really too long time to close the frozen IE windows. Our webmail server does not support Netscape (it is strange and I heard they are trying to fix it). I ran XPSp2 quite long time ago (two months?), and I believe the problem did not appear together with it at that time.

However, after I remove the three additional items, there is a new problem.

Every time when I restart my computer (I tried three times), there are two successive (error) messages:

1. Windows cannot find (here is a wired name containing one Chinese character. I just cannot read it). Make sure you type the name correctly and then try again. To search for a file, click the Start button and then click Search.

(I clicked on “OK”. The second one appeared.)

2. (Title of the menu: Disktop): Could not load or run (the same wired name as above) specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

After I clicked on “OK”, the computer seems to run all right, but the messages are just quite annoying. How can I fix it?

Another question: how can I avoid being affected by these viruses or worms again? What kinds of websites contain them?

I am quite impressed that you are so willing to help other people. Many thanks,

gsui
 
Joined
Dec 9, 2000
Messages
45,855
Can you post another HijackThis Scanlog? Also if you did a clean boot (and had unchecked items in msconfig previously) these items need to be unchecked again. When you returned to normal startups EVERYTHING got checked again. So something is probably being called now that simply wasn't in the previous scanlog. You can post the scanlog before looking back at msconfig so I can see what is currently there.

People often ask me how they can keep from being re-infected. Since a current poster, jaejae, just asked, I'm going to repeat what I said there:

As for additonal Security software, this is entirely a matter of who uses the machine and how it is used. Most infections occur from either not having the most critical Windows updates installed, using unpatched versions of IE, using IE to go where it should not be taken ('X' browsing), file sharing downloads and installs (one of the most common sources) and carelessness in allowing or accepting installs from sites that cannot be implicitly trusted.

Frankly the most important recommendation I would have is to use an alternate browser for all sites that do not require IE. Mozilla Firefox is a good choice for most. And Opera has a free version if you don't mind the banner ad (I don't)

The bottom line is that NO security software will keep you from getting reinfected if you are incautious.
My personal opinion is that if you have installed the most critical Windows Updates (and you have), you hardly even need an antivirus program if your usage is cautious and conservative. And if it isn't, nothing can keep you from being re-infected.

I've been running Windows for quite a number of years now, and have never had to clean my own system, other than something occasionally showing up in a temporary internet cache that was never actually executed. I keep the XP firewall enabled, and just for formality sake run a basic antivirus program (AVG). Other things, like Ad-Aware SE, I keep around just to help folks with.

Have a look here for other suggestions:

http://forums.techguy.org/t208517.html

Another suggestion that is sometimes offered, I don't follow it myself, is to create a User Account that does NOT have administrative priveleges and use it whenever possible. This will keep some malware installs from succeeding because they need administrative rights. When you want to install or do something that requires administrative rights, you can change accounts.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top