Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Hi

I recently ran a full system scan on my computer using Norton Antivirus and a few were found. I managed to quarantine and delete most of it except for 1. With the norton realtime scan on, whenever I fire any apps that connects to the internet, NAV prompts:

Scan type: Manual Scan
Event: Virus Found!
Virus name: Infostealer.Lemir
File: C:\WINDOWS\system32\WSD_SOCK32.dll
Location: C:\WINDOWS\system32
Computer: ALVIN-IBMT42
User: Administrator
Action taken: Clean failed : Quarantine failed :
Date found: Sat Dec 23 15:52:21 2006

I tried to go into safe mode to and deleting the file manually but i couldn't as it says access denied. I think window is using the file. Attached is the Hijackthis log file. Can anyone help me?

Logfile of HijackThis v1.99.1
Scan saved at 4:19:56 PM, on 23/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assis...urce=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://selamat.no-ip.com:8888/hotfix.zip
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = THE NET Gamers Guild
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.monash.edu.au:80
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush1.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\vision\vision.dll/mms.htm
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra 'Tools' menuitem: ²ÊE¾«ÁéÉèÖà - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSed.dll
O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\reporter.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Medie Sariel Number Services - Unknown owner - C:\WINDOWS\system32\notaped.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
That is a mess

first

Download LSPfix here: http://www.cexx.org/lspfix.htm
and now run the LSPFIX application. You will see a list of files in the left hand pane and possibly some in the right hand pane. Tick the"I know what i'm doing" box & select any instances of cdnns.dll that are in the left hand keep pane and move them to the right hand remove pane, DO NOT MOVE ANY OTHER FILES, press finish and the program will do anything necessary

then

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

then

Download Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

then post back all logs asked for

if at anytime internet connection gets lost after combofix or sdfix have done their fixes then

run lspfix again Just run it, you will see a list of files in the left hand pane and possibly some in the right hand pane. Do not change any of them, just tick the"I know what i'm doing" box & press finish and the program will do anything necessary
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
Hi dvk01

I have done the steps you told me.

Here is the sdfix log:

SDFix: Version 1.51
****************

Sun 24/12/2006 - 11:30:28.04

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

Medie Sariel Number Services

File Path:

C:\WINDOWS\system32\notaped.exe

Medie Sariel Number Services Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\PING41.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\TRACER~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win67.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win69.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win6B.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win6E.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win71.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win74.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win77.tmp
C:\WINDOWS\Temp\win1.tmp
C:\WINDOWS\Temp\win2.tmp
C:\WINDOWS\Temp\win3.tmp
C:\WINDOWS\Temp\win40.tmp
C:\WINDOWS\Temp\win41.tmp
C:\WINDOWS\Temp\win42.tmp
C:\WINDOWS\Temp\win43.tmp
C:\WINDOWS\Temp\win44.tmp
C:\WINDOWS\Temp\win45.tmp
C:\WINDOWS\Temp\win46.tmp
C:\WINDOWS\Temp\win47.tmp
C:\WINDOWS\Temp\win48.tmp
C:\WINDOWS\Temp\win49.tmp
C:\WINDOWS\Temp\win4A.tmp
C:\WINDOWS\Temp\win4B.tmp
C:\WINDOWS\Temp\win4C.tmp
C:\WINDOWS\Temp\win4D.tmp
C:\WINDOWS\Temp\win4E.tmp
C:\WINDOWS\Temp\win4F.tmp
C:\WINDOWS\Temp\win50.tmp
C:\WINDOWS\Temp\win51.tmp
C:\WINDOWS\Temp\win52.tmp
C:\WINDOWS\Temp\win53.tmp
C:\WINDOWS\Temp\win54.tmp
C:\WINDOWS\Temp\win55.tmp
C:\WINDOWS\Temp\win56.tmp
C:\WINDOWS\Temp\win57.tmp
C:\WINDOWS\Temp\win58.tmp
C:\WINDOWS\Temp\win59.tmp
C:\WINDOWS\Temp\win5A.tmp
C:\WINDOWS\Temp\win5B.tmp
C:\WINDOWS\Temp\win5C.tmp
C:\WINDOWS\Temp\win5D.tmp
C:\WINDOWS\Temp\win5E.tmp
C:\WINDOWS\Temp\win5F.tmp
C:\WINDOWS\Temp\win60.tmp
C:\WINDOWS\Temp\win61.tmp
C:\WINDOWS\Temp\win62.tmp
C:\WINDOWS\Temp\win63.tmp
C:\WINDOWS\Temp\win64.tmp
C:\WINDOWS\Temp\win65.tmp
C:\WINDOWS\Temp\win66.tmp
C:\WINDOWS\Temp\win67.tmp
C:\WINDOWS\Temp\win68.tmp
C:\WINDOWS\Temp\win69.tmp
C:\WINDOWS\Temp\win6A.tmp
C:\WINDOWS\Temp\win6B.tmp
C:\WINDOWS\Temp\win6C.tmp
C:\WINDOWS\Temp\win6D.tmp
C:\WINDOWS\Temp\win6E.tmp
C:\WINDOWS\Temp\win6F.tmp
C:\WINDOWS\Temp\win70.tmp
C:\WINDOWS\Temp\win71.tmp
C:\WINDOWS\Temp\win72.tmp
C:\WINDOWS\Temp\win73.tmp
C:\WINDOWS\Temp\win74.tmp
C:\WINDOWS\Temp\win75.tmp
C:\WINDOWS\Temp\win76.tmp
C:\WINDOWS\Temp\win77.tmp
C:\WINDOWS\Temp\win78.tmp
C:\WINDOWS\Temp\win79.tmp
C:\WINDOWS\Temp\win7A.tmp
C:\WINDOWS\Temp\win7B.tmp
C:\WINDOWS\Temp\win7C.tmp
C:\WINDOWS\Temp\win7D.tmp
C:\WINDOWS\Temp\win7E.tmp
C:\WINDOWS\Temp\win7F.tmp
C:\WINDOWS\Temp\win80.tmp
C:\WINDOWS\Temp\win81.tmp
C:\WINDOWS\Temp\win82.tmp
C:\WINDOWS\Temp\win83.tmp
C:\WINDOWS\Temp\win85.tmp
C:\WINDOWS\Temp\win86.tmp
C:\WINDOWS\Temp\win87.tmp
C:\WINDOWS\Temp\win88.tmp
C:\WINDOWS\Temp\win89.tmp
C:\WINDOWS\Temp\win8A.tmp
C:\WINDOWS\Temp\win8B.tmp
C:\WINDOWS\Temp\win8C.tmp
C:\WINDOWS\Temp\win8D.tmp
C:\WINDOWS\Temp\win8E.tmp
C:\WINDOWS\Temp\win8F.tmp
C:\WINDOWS\Temp\win90.tmp
C:\WINDOWS\Temp\win91.tmp
C:\WINDOWS\Temp\win92.tmp
C:\WINDOWS\Temp\win93.tmp
C:\WINDOWS\Temp\win94.tmp
C:\WINDOWS\Temp\win95.tmp
C:\WINDOWS\Temp\win96.tmp
C:\WINDOWS\Temp\win97.tmp
C:\WINDOWS\Temp\win98.tmp
C:\WINDOWS\Temp\win99.tmp
C:\WINDOWS\Temp\win9A.tmp
C:\WINDOWS\Temp\win9B.tmp
C:\WINDOWS\Temp\win9C.tmp
C:\WINDOWS\Temp\win9D.tmp
C:\WINDOWS\Temp\win9E.tmp
C:\WINDOWS\Temp\win9F.tmp
C:\WINDOWS\Temp\winA0.tmp
C:\WINDOWS\Temp\winA1.tmp
C:\WINDOWS\Temp\winA2.tmp
C:\WINDOWS\Temp\winA3.tmp
C:\WINDOWS\Temp\winA4.tmp
C:\WINDOWS\Temp\winA5.tmp
C:\WINDOWS\Temp\winA6.tmp
C:\WINDOWS\Temp\winA7.tmp
C:\WINDOWS\Temp\winA8.tmp
C:\WINDOWS\Temp\winA9.tmp
C:\WINDOWS\Temp\winAA.tmp
C:\WINDOWS\Temp\winAB.tmp
C:\WINDOWS\Temp\winAC.tmp
C:\WINDOWS\Temp\winAD.tmp
C:\WINDOWS\Temp\winAE.tmp
C:\WINDOWS\Temp\winAF.tmp
C:\WINDOWS\Temp\winB.tmp
C:\WINDOWS\Temp\winB0.tmp
C:\WINDOWS\Temp\winB1.tmp
C:\WINDOWS\Temp\winB2.tmp
C:\WINDOWS\Temp\winB3.tmp
C:\WINDOWS\Temp\winB4.tmp
C:\WINDOWS\Temp\winB5.tmp
C:\WINDOWS\Temp\winB6.tmp
C:\WINDOWS\Temp\winB7.tmp
C:\WINDOWS\Temp\winB8.tmp
C:\WINDOWS\Temp\winB9.tmp
C:\WINDOWS\Temp\winBA.tmp
C:\WINDOWS\Temp\winBB.tmp
C:\WINDOWS\Temp\winBC.tmp
C:\WINDOWS\Temp\winBD.tmp
C:\WINDOWS\Temp\winBE.tmp
C:\WINDOWS\Temp\winBF.tmp
C:\WINDOWS\Temp\winC.tmp
C:\WINDOWS\Temp\winC0.tmp
C:\WINDOWS\Temp\winC1.tmp
C:\WINDOWS\Temp\winC2.tmp
C:\WINDOWS\Temp\winC3.tmp
C:\WINDOWS\Temp\winC4.tmp
C:\WINDOWS\Temp\winC5.tmp
C:\WINDOWS\Temp\winC6.tmp
C:\WINDOWS\Temp\winC7.tmp
C:\WINDOWS\Temp\winC8.tmp
C:\WINDOWS\Temp\winC9.tmp
C:\WINDOWS\Temp\winCA.tmp
C:\WINDOWS\Temp\winCB.tmp
C:\WINDOWS\Temp\winCC.tmp
C:\WINDOWS\Temp\winCD.tmp
C:\WINDOWS\Temp\winCE.tmp
C:\WINDOWS\Temp\winCF.tmp
C:\WINDOWS\Temp\winD.tmp
C:\WINDOWS\Temp\winD0.tmp
C:\WINDOWS\Temp\winD1.tmp
C:\WINDOWS\Temp\winD2.tmp
C:\WINDOWS\Temp\winD3.tmp
C:\WINDOWS\Temp\winD4.tmp
C:\WINDOWS\Temp\winD5.tmp
C:\WINDOWS\Temp\winD6.tmp
C:\WINDOWS\Temp\winD7.tmp
C:\WINDOWS\Temp\winD8.tmp
C:\WINDOWS\Temp\winD9.tmp
C:\WINDOWS\Temp\winDA.tmp
C:\WINDOWS\Temp\winDB.tmp
C:\WINDOWS\Temp\winDC.tmp
C:\WINDOWS\Temp\winDD.tmp
C:\WINDOWS\Temp\winDE.tmp
C:\WINDOWS\Temp\winDF.tmp
C:\WINDOWS\Temp\winE0.tmp
C:\WINDOWS\Temp\winE1.tmp
C:\WINDOWS\Temp\winE2.tmp
C:\WINDOWS\Temp\winE3.tmp
C:\WINDOWS\Temp\winE4.tmp
C:\WINDOWS\Temp\winE5.tmp
C:\WINDOWS\Temp\winE6.tmp
C:\WINDOWS\Temp\winE7.tmp
C:\WINDOWS\Temp\winE8.tmp
C:\WINDOWS\Temp\winE9.tmp
C:\WINDOWS\Temp\winEA.tmp
C:\WINDOWS\Temp\winEB.tmp
C:\WINDOWS\Temp\winEC.tmp
C:\WINDOWS\Temp\winED.tmp
C:\WINDOWS\Temp\winEE.tmp
C:\WINDOWS\Temp\winEF.tmp
C:\WINDOWS\Temp\winF0.tmp
C:\WINDOWS\Temp\winF1.tmp
C:\WINDOWS\Temp\winF2.tmp
C:\WINDOWS\Temp\winF3.tmp
C:\WINDOWS\Temp\winF4.tmp
C:\WINDOWS\Temp\winF5.tmp
C:\WINDOWS\Temp\winF6.tmp
C:\WINDOWS\Temp\winF7.tmp
C:\WINDOWS\Temp\winF8.tmp
C:\WINDOWS\Temp\winF9.tmp
C:\WINDOWS\Temp\winFA.tmp
C:\WINDOWS\Temp\winFB.tmp
C:\WINDOWS\Temp\winFC.tmp
C:\WINDOWS\Temp\winFD.tmp
C:\WINDOWS\Temp\winFE.tmp
C:\WINDOWS\Temp\winFF.tmp

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------

Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\SurfOffline\\SO.exe"="C:\\Program Files\\SurfOffline\\SO.exe:*:Enabled:SurfOffline - offline browser"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BBC Alerts\\BBC_Alerts.exe"="C:\\Program Files\\BBC Alerts\\BBC_Alerts.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\wbem\\lsass.exe"="C:\\WINDOWS\\system32\\wbem\\lsass.exe:*:Enabled:Generic Hosts for WinService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BBC Alerts\\BBC_Alerts.exe"="C:\\Program Files\\BBC Alerts\\BBC_Alerts.exe"

Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\system32\gebxv.dll.vir
C:\WINDOWS\system32\MSWWINEDRVM7.DLL
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\~de1306.tmp
C:\~de4.tmp
C:\Alvin (Confidential)\CPE1003\ThumbBack\cpe1003\Assignment 2\zen's assignment 2\page9\doc\~WRL2179.tmp
C:\Alvin (Confidential)\CPE2006\Assignment 2\~WRL0001.tmp
C:\Alvin (Confidential)\Wilson's Stuff\BackUp\Past Subjects\CPE2001\Assignments\Backup\Assignment1_Backup_171204\Assignment1\Report\~WRL2394.tmp
C:\Alvin (Confidential)\Wilson's Stuff\BackUp\Past Subjects\CPE2001\Assignments\Backup\Assignment1_Backup_171204\Assignment1\Report\~WRL3258.tmp
C:\Alvin (Confidential)\Wilson's Stuff\CPE2001\Assignments\Backup\Assignment1_Backup_171204\Assignment1\Report\~WRL2394.tmp
C:\Alvin (Confidential)\Wilson's Stuff\CPE2001\Assignments\Backup\Assignment1_Backup_171204\Assignment1\Report\~WRL3258.tmp
C:\Documents and Settings\Administrator\My Documents\My Pictures\Tasmania Trip Estee\Day 2\SIV96.tmp

FINISHED!

Here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:55 AM, on 24/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assis...urce=wdz&utm_medium=bund&utm_campaign=wdz0605
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://selamat.no-ip.com:8888/hotfix.zip
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = THE NET Gamers Guild
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.monash.edu.au:80
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\vision\vision.dll/mms.htm
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra 'Tools' menuitem: ²ÊE¾«ÁéÉèÖà - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\wsd_sock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wsd_sock32.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nutafun4.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSed.dll
O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\reporter.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Is there anything else I should do?
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #4 ·
Here is the combofix log:

Administrator - 06-12-24 11:55:42.52 Service Pack 2
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\nrssvd32.dll
C:\WINDOWS\system32\rgswin32.msc
C:\WINDOWS\system32\SrvAddSet.dat
C:\WINDOWS\system32\vdmop.dll
C:\WINDOWS\system32\wbem\lsass.exe
C:\WINDOWS\system32\wbem\sholl32.dll
C:\WINDOWS\system32\wbem\winkbd32.dll
C:\WINDOWS\system32\d3d1caps.SRG
C:\WINDOWS\system32\drivers\00005cca.SYS
C:\WINDOWS\system32\00005cca.dat
C:\WINDOWS\system32\MicShExts
C:\WINDOWS\system32\drivers\etcdr
C:\WINDOWS\system32\wbem\dReposxml
C:\Program Files\vision
C:\~de*.tmp
C:\WINDOWS\system32\almms.dat
C:\Program Files\Messenger\msnhost.dll
C:\WINDOWS\system32\cdnprot.dat
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\WINDOWS\system32\WSD_SOCK32.dll
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\Program Files\vision

((((((((((((((((((((((((((((((( Files Created from 2006-11-24 to 2006-12-24 ))))))))))))))))))))))))))))))))))

2006-12-24 12:16 d-------- C:\WINDOWS\erdnt
2006-12-23 17:10 d-------- C:\Program Files\Sunbelt Software
2006-12-23 15:09 d-------- C:\Program Files\Azureus
2006-12-21 19:09 d-------- C:\Documents and Settings\Administrator\Application Data\wsInspector
2006-12-21 19:07 d-------- C:\Program Files\Startup Inspector for Windows
2006-12-21 18:50 9,728 --a------ C:\WINDOWS\system32\mobutil.dll
2006-12-21 18:50 8,621 --a------ C:\WINDOWS\system32\drivers\mpsmp.sys
2006-12-21 18:50 27,136 --a------ C:\WINDOWS\system32\wucdmod.dll
2006-12-21 18:50 15,360 --a------ C:\WINDOWS\system32\wmspi.exe
2006-12-21 18:50 d-------- C:\SDFix
2006-12-21 17:05 23,040 --a------ C:\WINDOWS\system32\reporter.dll
2006-12-21 16:59 d--hs---- C:\WINDOWS\CSC
2006-12-21 16:18 228,352 --a------ C:\WINDOWS\system32\sqlservech.dll
2006-12-17 11:31 d-------- C:\90ba23d1c93f2dc653
2006-12-17 11:26 d--hs---- C:\Config.Msi
2006-12-17 11:25 d-------- C:\5bcf5b59248ab22dc4556768
2006-12-13 19:00 36,864 --a------ C:\WINDOWS\system32\PvSed.dll
2006-12-12 03:49 d-------- C:\WINDOWS\system32\ContentTemp
2006-12-09 16:36 6,439 --a------ C:\WINDOWS\system32\watmfds32.dll
2006-12-09 16:05 29,696 --a------ C:\WINDOWS\system32\wmpkn.dll
2006-12-09 16:00 27,648 --a------ C:\WINDOWS\system32\tpnet.dll
2006-12-08 00:31 376 --a------ C:\WINDOWS\system32\innvusmb32.dll
2006-12-08 00:31 36,864 --a------ C:\WINDOWS\system32\PvSec.dll
2006-12-08 00:28 22 --a------ C:\WINDOWS\system32\wmsnds32.dll
2006-12-08 00:27 d-------- C:\Downloads
2006-12-05 15:50 9,651 --a------ C:\WINDOWS\system32\drivers\parcls.sys
2006-11-28 20:07 8,699 --a------ C:\WINDOWS\system32\drivers\hdfs.sys
2006-11-28 20:07 8,477 --a------ C:\WINDOWS\system32\drivers\amdk5.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-24 12:17 -------- d-------- C:\Program Files\Messenger
2006-12-24 11:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-23 19:00 -------- d-------- C:\Program Files\Common Files
2006-12-23 15:40 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2006-12-22 22:42 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-12-03 01:07 160384 --a------ C:\WINDOWS\system32\drivers\hicahjfi.sys
2006-11-28 11:05 -------- d-------- C:\Documents and Settings\Administrator\Application Data\BSplayer Pro
2006-11-15 14:41 -------- d-------- C:\Program Files\Java
2006-11-13 12:07 -------- d-------- C:\Program Files\WinUndelete
2006-11-13 01:28 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Security Alert
2006-11-13 00:54 699339 ---hs---- C:\WINDOWS\system32\vxbeg.bak1
2006-11-13 00:54 692276 --ahs---- C:\WINDOWS\system32\gebxv.dll.vir
2006-11-10 22:07 -------- d-------- C:\Program Files\EA Games
2006-11-05 21:44 -------- d-------- C:\Program Files\PowerArchiver
2006-11-05 01:36 -------- d-------- C:\Program Files\DC++
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\system32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 21:42 -------- d-------- C:\Program Files\Orca
2006-11-02 21:42 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-28 20:14 -------- d-------- C:\Program Files\Apple Software Update
2006-10-26 22:12 -------- d-------- C:\Documents and Settings\Administrator\Application Data\BBC Alerts
2006-10-13 23:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 23:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 23:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-09 01:27 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BBC Alerts"="\"C:\\Program Files\\BBC Alerts\\BBC_Alerts.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\Launch Application 2.exe -onlytray"
"PCMService"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"CloneCDElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,74,01,00,00,00,00,00,00,04,04,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{78BF3960-61F0-4F4E-825D-3554FA61E847}"="Windows Media Player ºËÐÄÔ¤¼ÓÔسÌÐò"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3AFA98EC-8C97-4AFB-993C-4DAAA69FB9DF}"="MediaTypes"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebSecurity"="{3DD78ACF-0745-4532-94F8-A574457E1A81}"
"NetWork"="{FC055E7D-8144-4706-8586-2F1C49FCDD2A}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\amdk5
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\hdfs
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\LanPort
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mpsmp
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\parcls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
sqlservech REG_MULTI_SZ sqlservech\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Remote
Access
Connection
Management

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job

Completion time: 06-12-24 12:26:56.29
C:\ComboFix.txt ... 06-12-24 12:26

Thanks for your help so far. Is my computer clear?
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
You are a long way from being clean yet

now run the LSPFIX again . You will see a list of files in the left hand pane and possibly some in the right hand pane. Tick the"I know what i'm doing" box & select any instances of wsd_sock32.dll and nutafun4.dll that are in the left hand keep pane and move them to the right hand remove pane, DO NOT MOVE ANY OTHER FILES, press finish and the program will do anything necessary

then

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\mobutil.dll
C:\WINDOWS\system32\drivers\mpsmp.sys
C:\WINDOWS\system32\wucdmod.dll
C:\WINDOWS\system32\wmspi.exe
C:\WINDOWS\system32\PvSed.dll
C:\WINDOWS\system32\watmfds32.dll
C:\WINDOWS\system32\wmpkn.dll
C:\WINDOWS\system32\tpnet.dll
C:\WINDOWS\system32\innvusmb32.dll
C:\WINDOWS\system32\PvSec.dll
C:\WINDOWS\system32\wmsnds32.dll
C:\WINDOWS\system32\drivers\parcls.sys
C:\WINDOWS\system32\drivers\hdfs.sys
C:\WINDOWS\system32\drivers\amdk5.sys
C:\WINDOWS\system32\drivers\hicahjfi.sys
C:\WINDOWS\system32\vxbeg.bak1
C:\WINDOWS\system32\gebxv.dll.vir
c:\windows\system32\nutafun4.dll
c:\windows\system32\wsd_sock32.dll
C:\WINDOWS\system32\reporter.dll

Folders to delete:
C:\WINDOWS\system32\ContentTemp
C:\Program Files\CNNIC
C:\PROGRA~1\vision

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

when it reboots

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assist...mpaign=wdz0605
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/si...search-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/cu...search-en.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://selamat.no-ip.com:8888/hotfix.zip
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\vision\vision.dll/mms.htm
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra 'Tools' menuitem: ²ÊE¾«ÁéÉèÖà - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wsd_sock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wsd_sock32.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nutafun4.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O21 - SSODL: WebSecurity - {3DD78ACF-0745-4532-94F8-A574457E1A81} - C:\WINDOWS\system32\PvSed.dll
O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\reporter.dll

then
Please download ATF Cleaner by Atribune
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

then

post a new HJT log &

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

You must use IE for the scan to work
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top