Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Boran.g and a lot more...

  1. 2006-10-31, 10:50 #1
    choppie
    choppie is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    6

    Default Boran.g and a lot more...

    I'm helping a friend to clean up a laptop.... no matter how many times i run spybot or ad-aware... Boran.g always comes back... so annoying...

    Here's the PANDA report:

    Incident Status Location
    Adware:Adware/Wsearch Not disinfected C:\FOUND.008\FILE0003.CHK
    Adware:Adware/NCast Not disinfected C:\WINDOWS\system32\drivers\sispc.sys
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\drivers\Albus.SYS
    Hacktool:Rootkit/Hidport Not disinfected C:\WINDOWS\system32\drivers\hidport.sys
    Virus:Bck/Irjit.B Disinfected C:\WINDOWS\system32\wbem\zeocgb66.dll
    Virus:Trj/Downloader.KHR Disinfected C:\WINDOWS\system32\enup32.dll
    Adware:Adware/MMediapd Not disinfected C:\WINDOWS\system32\ext\dtdl.dll
    Adware:adware/mmediapd Not disinfected C:\WINDOWS\system32\ext\dtsm.dll
    Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\A4SOFT\baisod\dllhostd.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\alsmt.exe
    Adware:Adware/KooWo Not disinfected C:\WINDOWS\system32\YHBO.dll
    Possible Virus. Not disinfected C:\WINDOWS\system32\wmpes.ini
    Possible Virus. Not disinfected C:\WINDOWS\system32\SPOOLS.EXE
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\albus.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\stdupnet.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\stdstub.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\stdvote.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\stdplay.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\system32\jetspeed.dll
    Adware:Adware/Ourxin Not disinfected C:\WINDOWS\system32\msicn\ube.exe
    Adware:Adware/Ourxin Not disinfected C:\WINDOWS\system32\1116\ntjdo\vcf.fyf
    Adware:Adware/NewWeb Not disinfected C:\WINDOWS\system32\Inte32.dll
    Adware:Adware/Simfly Not disinfected C:\WINDOWS\system32\sys32version.dll
    Adware:Adware/LinkMedia Not disinfected C:\WINDOWS\system32\ACSs.dll
    Adware:Adware/NewWeb Not disinfected C:\WINDOWS\system32\Inte.dll
    Adware:Adware/LinkMedia Not disinfected C:\WINDOWS\system32\Nwsapagent.dll
    Adware:Adware/LinkMedia Not disinfected C:\WINDOWS\system32\sdmAgent20.dll
    Adware:Adware/LinkMedia Not disinfected C:\WINDOWS\system32\sdmAgent22.dll
    Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\zsSOFT\baisof\dllhostf.dll
    Adware:Adware/NewWeb Not disinfected C:\WINDOWS\system\vp_VM.dll
    Adware:Adware/LinkMedia Not disinfected C:\WINDOWS\Temp\sdmagent.exe[sdmAgent22.dll]
    Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Temp\Cookies\cheung@ad.yieldmanager[1].txt
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\Temp\insshell\insshell.exe
    Adware:Adware/IconAds Not disinfected C:\WINDOWS\Temp\exupstd\setup.exe
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\Temp\insmms5\setup.exe[albus.dll]
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\Temp\insmms5\setup.exe[2eC]
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\webwork\webwork.dll
    Adware:Adware/Borlander Not disinfected C:\WINDOWS\webwork\webwork.nls
    Possible Virus. Not disinfected C:\WINDOWS\mTmp.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update8.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update13.exe
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\Y2hldW5n\sZ15xqcB.vbs
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update18.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update19.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update20.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update22.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update21.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update23.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update24.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update25.exe
    Adware:Adware/AdHelper Not disinfected C:\WINDOWS\update26.exe
    Spyware:Spyware/Iehelp Not disinfected C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5025.dll
    Virus:Bck/Irjit.B Disinfected C:\Documents and Settings\All Users\Templates\temp.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00800500.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01742118.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04895246.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03295188.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00642001.exe
    Possible Virus. Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\xp83.tmp.exe
    Adware:Adware/KooWo Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\rg_lyric_014.exe[YHBO.dll]
    Adware:Adware/KooWo Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\rg_lyric_014.exe[HTTPDll.dll]
    Adware:Adware/KooWo Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\rg_lyric_014.exe[lrcsys.exe]
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00870451.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03088337.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03082938.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01807114.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00819806.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\setup.exe
    Adware:Adware/LinkMedia Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\lmdm_setup_2.1_102.exe[ACSs.dll]
    Adware:Adware/LinkMedia Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\lmdm_setup_2.1_102.exe[Nwsapagent.dll]
    Adware:Adware/LinkMedia Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\lmdm_setup_2.1_102.exe[sdmAgent20.dll]
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02680022.exe
    Spyware:Spyware/Iehelp Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\5025.exe
    Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\Setup_YH0017.exe
    Adware:Adware/ISearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
    Adware:Adware/PCodec Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\b104.exe[2UC\nsRandom.dll]
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04367547.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04742694.exe
    Adware:Adware/BaiduBar Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\potti.exe[BaiduBar.dll]
    Adware:Adware/BaiduBar Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\5344.exe
    Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\b116.exe
    Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\b111.exe
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\wd2_051117_NAV062_mini.exe[2eC]
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\wd2_051117_NAV062_mini.exe[2eC]
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\wd2_051117_NAV062_mini.exe[2eC]
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\secp.exe[2eC]
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\secp.exe[2eC]
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\secp.exe[2eC]
    Adware:Adware/Ourxin Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\secp.exe[2eC]
    Possible Virus. Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\up26.exe
    Virus:Trj/Downloader.KVF Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\tubar1230.exe[HttpGetyuletx.exe]
    Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\tubar1230.exe[HttpGet.exe]
    Virus:Trj/Multidropper.BOU Disinfected C:\Documents and Settings\cheung\Local Settings\Temp\hc01.exe
    Adware:Adware/Borlander Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\insshell\insshell.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00588103.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02761675.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02648279.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01065660.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04205847.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03516531.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04743943.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00206001.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02420470.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01500112.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01102411.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02862227.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02318828.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\02225829.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00868055.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04484692.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\00236403.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04117442.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01716017.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01289814.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03811034.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03419438.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04227893.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01516160.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04438043.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\01090213.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04814197.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\03211736.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04522291.exe
    Adware:Adware/Wsearch Not disinfected C:\Documents and Settings\cheung\Local Settings\Temp\04766397.exe
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\cheung\Cookies\cheung@xiti[1].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\cheung\Cookies\cheung@searchportal.information[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\cheung\Cookies\cheung@com[1].txt
    Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{38E9DE2F-06C5-1028-0902-050507060354}\Uninst.exe
    Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
    Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{38E9DE2F-06C5-3076-0902-050507060354}\Uninst.exe
    Possible Virus. Not disinfected C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe[zcomcli_sc.exe]
    Adware:Adware/Borlander Not disinfected C:\Program Files\MMSAssist\Mmsass~1.dll
    Adware:Adware/Borlander Not disinfected C:\Program Files\MMSAssist\albus.dll
    Adware:Adware/Borlander Not disinfected C:\Program Files\MMSAssist\mmssver.dll
    Adware:Adware/Simfly Not disinfected C:\temp\3748.exe
    Possible Virus. Not disinfected C:\temp\bind_40127.exe
    Adware:Adware/Eztracks Not disinfected C:\temp\SearchBar.exe[SearchBar.dll]
    Possible Virus. Not disinfected D:\System Volume Information\_restore{C1F8D83E-EC09-4E58-8B1F-FE578F91939E}\RP311\A0056447.exe
    Possible Virus. Not disinfected D:\System Volume Information\_restore{C1F8D83E-EC09-4E58-8B1F-FE578F91939E}\RP323\A0058388.exe
    Possible Virus. Not disinfected D:\System Volume Information\_restore{C1F8D83E-EC09-4E58-8B1F-FE578F91939E}\RP323\A0059505.exe
    Possible Virus. Not disinfected D:\System Volume Information\_restore{C1F8D83E-EC09-4E58-8B1F-FE578F91939E}\RP323\A0059506.exe
    Possible Virus. Not disinfected D:\System Volume Information\_restore{C1F8D83E-EC09-4E58-8B1F-FE578F91939E}\RP326\A0061317.exe
    hijackthis will be posted next...
  2. 2006-10-31, 10:51 #2
    choppie
    choppie is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    6

    Default Continue...

    Hijackthis:

    Logfile of HijackThis v1.99.1
    Scan saved at 18:27:07, on 29/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ad1.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\hijackthis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: 61.135.150.114 www.8000qq.com
    O1 - Hosts: 61.135.150.114 www.800f.net
    O1 - Hosts: 61.135.150.114 www.1000sf.cn
    O1 - Hosts: 61.135.150.114 jfengsha.comfb
    O1 - Hosts: 61.135.150.114 www.1000yf.net
    O1 - Hosts: 61.135.150.114 www.159sifu.com
    O1 - Hosts: 61.135.150.114 www.9s5.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.wym.cn
    O1 - Hosts: 61.135.150.114 www.cc4f.cn
    O1 - Hosts: 61.135.150.114 mafan.net
    O1 - Hosts: 61.135.150.114 www.6688qn.net
    O1 - Hosts: 61.135.150.114 www.177z.com
    O1 - Hosts: 61.135.150.114 www.131sf.net
    O1 - Hosts: 61.135.150.114 tj.cntg.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.china45.net
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.17mi.net
    O1 - Hosts: 61.135.150.114 www.sf8.com.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 ip94.fd4f.com
    O1 - Hosts: 61.135.150.114 www.521it.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.fwoool.cn
    O1 - Hosts: 61.135.150.114 www.5u37.net
    O1 - Hosts: 61.135.150.114 www.87sf.com
    O1 - Hosts: 61.135.150.114 ww1.swoool.com
    O1 - Hosts: 61.135.150.114 wooljsz.cn
    O1 - Hosts: 61.135.150.114 www.57wool.com
    O1 - Hosts: 61.135.150.114 www.58816.com
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 chuanqisjsf.blwool.com
    O1 - Hosts: 61.135.150.114 www.woool188.com
    O1 - Hosts: 61.135.150.114 www.sf1260.com
    O1 - Hosts: 61.135.150.114 linf23.b12.cnwg.cn
    O1 - Hosts: 61.135.150.114 www.wooolweb.com
    O1 - Hosts: 61.135.150.114 www.yq520.net
    O1 - Hosts: 61.135.150.114 www.cs222.com
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.7100sf.com
    O1 - Hosts: 61.135.150.114 www.1352sf.com
    O1 - Hosts: 61.135.150.114 www.458wool.cn
    O1 - Hosts: 61.135.150.114 www.555woool.cn
    O1 - Hosts: 61.135.150.114 www.kaosf.com
    O1 - Hosts: 61.135.150.114 www.siyuwl.com
    O1 - Hosts: 61.135.150.114 www.csjsz.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 www.458cs.com
    O1 - Hosts: 61.135.150.114 www.5573.com
    O1 - Hosts: 61.135.150.114 www.02945.com
    O1 - Hosts: 61.135.150.114 www.pkchina.net
    O1 - Hosts: 61.135.150.114 www.5181314.com
    O1 - Hosts: 61.135.150.114 www.fknf2.com
    O1 - Hosts: 61.135.150.114 www2.yoursf.com
    O1 - Hosts: 61.135.150.114 www.paocs.com
    O1 - Hosts: 61.135.150.114 www.sfboke.com
    O1 - Hosts: 61.135.150.114 www.tt878.com
    O1 - Hosts: 61.135.150.114 ww1.woool188.com
    O1 - Hosts: 61.135.150.114 www.cs119.com
    O1 - Hosts: 61.135.150.114 www.xdwoool.net
    O1 - Hosts: 61.135.150.114 www.tt515.com
    O1 - Hosts: 61.135.150.114 www.cs176.com
    O1 - Hosts: 61.135.150.114 www.552sf.com
    O1 - Hosts: 61.135.150.114 www.ipmir.com
    O1 - Hosts: 61.135.150.114 www.898woool.com
    O1 - Hosts: 61.135.150.114 www.qqks.com
    O1 - Hosts: 61.135.150.114 www.368idc.com
    O1 - Hosts: 61.135.150.114 www.csbaba.com
    O1 - Hosts: 61.135.150.114 www.4745.cn
    O1 - Hosts: 61.135.150.114 www.636400.com
    O1 - Hosts: 61.135.150.114 www.oursf.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.14455.com
    O1 - Hosts: 61.135.150.114 www.zheshan.net
    O1 - Hosts: 61.135.150.114 zt.aaaaasf.cn
    O1 - Hosts: 61.135.150.114 www.zt1314.cn
    O1 - Hosts: 61.135.150.114 www.zt4f.net
    O1 - Hosts: 61.135.150.114 www.zt002.com
    O1 - Hosts: 61.135.150.114 www.amir3.com
    O1 - Hosts: 61.135.150.114 www.sf1717.com
    O1 - Hosts: 61.135.150.114 www.cq333.cn
    O1 - Hosts: 61.135.150.114 www.3316.cn
    O1 - Hosts: 61.135.150.114 www.sosmir3.com
    O1 - Hosts: 61.135.150.114 www.95279.com
    O1 - Hosts: 61.135.150.114 www.sf1788.com
    O1 - Hosts: 61.135.150.114 www.4fboss.com
    O1 - Hosts: 61.135.150.114 www.45net.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.wow1314.com
    O1 - Hosts: 61.135.150.114 www.zgwow.com
    O1 - Hosts: 61.135.150.114 www.1000wow.net
    O1 - Hosts: 61.135.150.114 www.gowowsf.com
    O1 - Hosts: 61.135.150.114 www.wowsf.com
    O1 - Hosts: 61.135.150.114 www.wxwow.com
    O1 - Hosts: 61.135.150.114 520.xinwow.com
    O1 - Hosts: 61.135.150.114 www.wowhelp.cn
    O1 - Hosts: 61.135.150.114 www.800wow.com
    O1 - Hosts: 61.135.150.114 www.56wow.com
    O1 - Hosts: 61.135.150.114 www.45wow.com
    O2 - BHO: (no name) - {000FBDB5-8043-4F24-ABCC-22654DA54A22} - C:\PROGRA~1\INTERN~1\PLUGINS\Flash.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: netup - {0A44CDEC-87D0-4D4D-BF97-DE9AFB9B104A} - C:\WINDOWS\system32\netidp.dll
    O2 - BHO: symndis - {166DF856-08F0-4D1C-991D-7CE3DB5C26F5} - C:\WINDOWS\system32\rasacd.dll
    O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5025.dll
    O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usercrd.dll
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
    O2 - BHO: SrchHook Class - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - C:\WINDOWS\system32\BarSea.dll
    O2 - BHO: UMU Class - {86450826-9507-44DC-9009-F92D2F5864EE} - C:\WINDOWS\system32\msvis.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: IEHlprObj Class - {EAACBF9E-4B91-45FF-93ED-B297093951EA} - C:\Program Files\Internet Explorer\PLUGINS\Flash_Player.dll
    O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
    O2 - BHO: (no name) - {FE32DECF-06AD-426E-9F53-3018A366B5AE} - C:\WINDOWS\system32\sys32version.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Search Bar - {FBFF8F98-AE9D-4599-975E-E9B31E88EF04} - C:\WINDOWS\system32\BarTool.dll
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
    O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: >>粗陓楷冞<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
    O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/230?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/229?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 訪問通用網址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
    O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O9 - Extra 'Tools' menuitem: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
    O9 - Extra 'Tools' menuitem: 粗E儕鍾扢离 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156480256970
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {EDEDED2E-A0A6-4085-BC52-A95255A96DBD} (CyImgChinaCtl Class) - http://fs3u.cyworld.com.cn/common/ac...CyImgChina.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9ED60A15-9D0B-4DBC-A213-2B71D0ADACDF}: NameServer = 202.14.67.4,202.14.67.14
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Network Logons (NetWorkLogons) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Distributed Application Client (SHipING) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL.EXE (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  3. 2006-11-05, 13:52 #3
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi

    sorry for the delay

    as you can see we handle more than our fair share of logs

    lets see a fresh hijackthis log to get started
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
  4. 2006-11-06, 07:33 #4
    choppie
    choppie is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    6

    Default again...

    Here it is, thanks!

    Logfile of HijackThis v1.99.1
    Scan saved at 1:32:16, on 6/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\conime.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.EXE
    C:\Program Files\Trend Micro\PC-cillin 2004\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
    C:\Program Files\CNNIC\Cdn\cdnup.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=C:\WINDOWS\system\tpkIM32.exe
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: 61.135.150.114 www.8000qq.com
    O1 - Hosts: 61.135.150.114 www.800f.net
    O1 - Hosts: 61.135.150.114 www.1000sf.cn
    O1 - Hosts: 61.135.150.114 jfengsha.comfb
    O1 - Hosts: 61.135.150.114 www.1000yf.net
    O1 - Hosts: 61.135.150.114 www.159sifu.com
    O1 - Hosts: 61.135.150.114 www.9s5.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.wym.cn
    O1 - Hosts: 61.135.150.114 www.cc4f.cn
    O1 - Hosts: 61.135.150.114 mafan.net
    O1 - Hosts: 61.135.150.114 www.6688qn.net
    O1 - Hosts: 61.135.150.114 www.177z.com
    O1 - Hosts: 61.135.150.114 www.131sf.net
    O1 - Hosts: 61.135.150.114 tj.cntg.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.china45.net
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.17mi.net
    O1 - Hosts: 61.135.150.114 www.sf8.com.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 ip94.fd4f.com
    O1 - Hosts: 61.135.150.114 www.521it.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.fwoool.cn
    O1 - Hosts: 61.135.150.114 www.5u37.net
    O1 - Hosts: 61.135.150.114 www.87sf.com
    O1 - Hosts: 61.135.150.114 ww1.swoool.com
    O1 - Hosts: 61.135.150.114 wooljsz.cn
    O1 - Hosts: 61.135.150.114 www.57wool.com
    O1 - Hosts: 61.135.150.114 www.58816.com
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 chuanqisjsf.blwool.com
    O1 - Hosts: 61.135.150.114 www.woool188.com
    O1 - Hosts: 61.135.150.114 www.sf1260.com
    O1 - Hosts: 61.135.150.114 linf23.b12.cnwg.cn
    O1 - Hosts: 61.135.150.114 www.wooolweb.com
    O1 - Hosts: 61.135.150.114 www.yq520.net
    O1 - Hosts: 61.135.150.114 www.cs222.com
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.7100sf.com
    O1 - Hosts: 61.135.150.114 www.1352sf.com
    O1 - Hosts: 61.135.150.114 www.458wool.cn
    O1 - Hosts: 61.135.150.114 www.555woool.cn
    O1 - Hosts: 61.135.150.114 www.kaosf.com
    O1 - Hosts: 61.135.150.114 www.siyuwl.com
    O1 - Hosts: 61.135.150.114 www.csjsz.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 www.458cs.com
    O1 - Hosts: 61.135.150.114 www.5573.com
    O1 - Hosts: 61.135.150.114 www.02945.com
    O1 - Hosts: 61.135.150.114 www.pkchina.net
    O1 - Hosts: 61.135.150.114 www.5181314.com
    O1 - Hosts: 61.135.150.114 www.fknf2.com
    O1 - Hosts: 61.135.150.114 www2.yoursf.com
    O1 - Hosts: 61.135.150.114 www.paocs.com
    O1 - Hosts: 61.135.150.114 www.sfboke.com
    O1 - Hosts: 61.135.150.114 www.tt878.com
    O1 - Hosts: 61.135.150.114 ww1.woool188.com
    O1 - Hosts: 61.135.150.114 www.cs119.com
    O1 - Hosts: 61.135.150.114 www.xdwoool.net
    O1 - Hosts: 61.135.150.114 www.tt515.com
    O1 - Hosts: 61.135.150.114 www.cs176.com
    O1 - Hosts: 61.135.150.114 www.552sf.com
    O1 - Hosts: 61.135.150.114 www.ipmir.com
    O1 - Hosts: 61.135.150.114 www.898woool.com
    O1 - Hosts: 61.135.150.114 www.qqks.com
    O1 - Hosts: 61.135.150.114 www.368idc.com
    O1 - Hosts: 61.135.150.114 www.csbaba.com
    O1 - Hosts: 61.135.150.114 www.4745.cn
    O1 - Hosts: 61.135.150.114 www.636400.com
    O1 - Hosts: 61.135.150.114 www.oursf.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.14455.com
    O1 - Hosts: 61.135.150.114 www.zheshan.net
    O1 - Hosts: 61.135.150.114 zt.aaaaasf.cn
    O1 - Hosts: 61.135.150.114 www.zt1314.cn
    O1 - Hosts: 61.135.150.114 www.zt4f.net
    O1 - Hosts: 61.135.150.114 www.zt002.com
    O1 - Hosts: 61.135.150.114 www.amir3.com
    O1 - Hosts: 61.135.150.114 www.sf1717.com
    O1 - Hosts: 61.135.150.114 www.cq333.cn
    O1 - Hosts: 61.135.150.114 www.3316.cn
    O1 - Hosts: 61.135.150.114 www.sosmir3.com
    O1 - Hosts: 61.135.150.114 www.95279.com
    O1 - Hosts: 61.135.150.114 www.sf1788.com
    O1 - Hosts: 61.135.150.114 www.4fboss.com
    O1 - Hosts: 61.135.150.114 www.45net.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.wow1314.com
    O1 - Hosts: 61.135.150.114 www.zgwow.com
    O1 - Hosts: 61.135.150.114 www.1000wow.net
    O1 - Hosts: 61.135.150.114 www.gowowsf.com
    O1 - Hosts: 61.135.150.114 www.wowsf.com
    O1 - Hosts: 61.135.150.114 www.wxwow.com
    O1 - Hosts: 61.135.150.114 520.xinwow.com
    O1 - Hosts: 61.135.150.114 www.wowhelp.cn
    O1 - Hosts: 61.135.150.114 www.800wow.com
    O1 - Hosts: 61.135.150.114 www.56wow.com
    O1 - Hosts: 61.135.150.114 www.45wow.com
    O2 - BHO: (no name) - {000FBDB5-8043-4F24-ABCC-22654DA54A22} - C:\PROGRA~1\INTERN~1\PLUGINS\Flash.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: netup - {0A44CDEC-87D0-4D4D-BF97-DE9AFB9B104A} - C:\WINDOWS\system32\netidp.dll
    O2 - BHO: symndis - {166DF856-08F0-4D1C-991D-7CE3DB5C26F5} - C:\WINDOWS\system32\rasacd.dll
    O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5025.dll
    O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usercrd.dll
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
    O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
    O2 - BHO: SrchHook Class - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - C:\WINDOWS\system32\BarSea.dll
    O2 - BHO: UMU Class - {86450826-9507-44DC-9009-F92D2F5864EE} - C:\WINDOWS\system32\msvis.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: IEHlprObj Class - {EAACBF9E-4B91-45FF-93ED-B297093951EA} - C:\Program Files\Internet Explorer\PLUGINS\Flash_Player.dll
    O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
    O2 - BHO: (no name) - {FE32DECF-06AD-426E-9F53-3018A366B5AE} - C:\WINDOWS\system32\sys32version.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Search Bar - {FBFF8F98-AE9D-4599-975E-E9B31E88EF04} - C:\WINDOWS\system32\BarTool.dll
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
    O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: >>粗陓楷冞<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
    O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/230?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/229?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 訪問通用網址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
    O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
    O9 - Extra 'Tools' menuitem: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
    O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
    O9 - Extra 'Tools' menuitem: 粗E儕鍾扢离 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
    O11 - Options group: [CDNCLIENT] 中文上網
    O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156480256970
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {EDEDED2E-A0A6-4085-BC52-A95255A96DBD} (CyImgChinaCtl Class) - http://fs3u.cyworld.com.cn/common/ac...CyImgChina.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9ED60A15-9D0B-4DBC-A213-2B71D0ADACDF}: NameServer = 202.14.67.4,202.14.67.14
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
    O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\cmspl.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Network Logons (NetWorkLogons) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Distributed Application Client (SHipING) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL.EXE (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  5. 2006-11-06, 12:46 #5
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    Please download Boran Remover from one of the following places and save it to your Desktop:
    1. http://download.bleepingcomputer.com/sUBs/boran-remover.exe
    2. http://www.techsupportforum.com/sectools/boran-remover.exe
    • Close all open windows.
    • Double-click boran-remover.exe to start the tool.
    • Your computer will reboot if an infection is found.
    • If the tool is unable to neutralize the infection, it will reboot again for another attempt.
    • When the tool is finished, it will save a log called boran.log in the boran-remover folder on your Desktop.
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
  6. 2006-11-09, 02:40 #6
    choppie
    choppie is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    6

    Default still got pops

    tried scanning several times... boran is gone... but still have pop-ups...

    here's the latest log:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:38:22, on 8/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
    C:\Program Files\CNNIC\Cdn\cdnup.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=C:\WINDOWS\system\tpkIM32.exe
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: 61.135.150.114 www.8000qq.com
    O1 - Hosts: 61.135.150.114 www.800f.net
    O1 - Hosts: 61.135.150.114 www.1000sf.cn
    O1 - Hosts: 61.135.150.114 jfengsha.comfb
    O1 - Hosts: 61.135.150.114 www.1000yf.net
    O1 - Hosts: 61.135.150.114 www.159sifu.com
    O1 - Hosts: 61.135.150.114 www.9s5.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.wym.cn
    O1 - Hosts: 61.135.150.114 www.cc4f.cn
    O1 - Hosts: 61.135.150.114 mafan.net
    O1 - Hosts: 61.135.150.114 www.6688qn.net
    O1 - Hosts: 61.135.150.114 www.177z.com
    O1 - Hosts: 61.135.150.114 www.131sf.net
    O1 - Hosts: 61.135.150.114 tj.cntg.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.china45.net
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.17mi.net
    O1 - Hosts: 61.135.150.114 www.sf8.com.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 ip94.fd4f.com
    O1 - Hosts: 61.135.150.114 www.521it.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.fwoool.cn
    O1 - Hosts: 61.135.150.114 www.5u37.net
    O1 - Hosts: 61.135.150.114 www.87sf.com
    O1 - Hosts: 61.135.150.114 ww1.swoool.com
    O1 - Hosts: 61.135.150.114 wooljsz.cn
    O1 - Hosts: 61.135.150.114 www.57wool.com
    O1 - Hosts: 61.135.150.114 www.58816.com
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 chuanqisjsf.blwool.com
    O1 - Hosts: 61.135.150.114 www.woool188.com
    O1 - Hosts: 61.135.150.114 www.sf1260.com
    O1 - Hosts: 61.135.150.114 linf23.b12.cnwg.cn
    O1 - Hosts: 61.135.150.114 www.wooolweb.com
    O1 - Hosts: 61.135.150.114 www.yq520.net
    O1 - Hosts: 61.135.150.114 www.cs222.com
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.7100sf.com
    O1 - Hosts: 61.135.150.114 www.1352sf.com
    O1 - Hosts: 61.135.150.114 www.458wool.cn
    O1 - Hosts: 61.135.150.114 www.555woool.cn
    O1 - Hosts: 61.135.150.114 www.kaosf.com
    O1 - Hosts: 61.135.150.114 www.siyuwl.com
    O1 - Hosts: 61.135.150.114 www.csjsz.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 www.458cs.com
    O1 - Hosts: 61.135.150.114 www.5573.com
    O1 - Hosts: 61.135.150.114 www.02945.com
    O1 - Hosts: 61.135.150.114 www.pkchina.net
    O1 - Hosts: 61.135.150.114 www.5181314.com
    O1 - Hosts: 61.135.150.114 www.fknf2.com
    O1 - Hosts: 61.135.150.114 www2.yoursf.com
    O1 - Hosts: 61.135.150.114 www.paocs.com
    O1 - Hosts: 61.135.150.114 www.sfboke.com
    O1 - Hosts: 61.135.150.114 www.tt878.com
    O1 - Hosts: 61.135.150.114 ww1.woool188.com
    O1 - Hosts: 61.135.150.114 www.cs119.com
    O1 - Hosts: 61.135.150.114 www.xdwoool.net
    O1 - Hosts: 61.135.150.114 www.tt515.com
    O1 - Hosts: 61.135.150.114 www.cs176.com
    O1 - Hosts: 61.135.150.114 www.552sf.com
    O1 - Hosts: 61.135.150.114 www.ipmir.com
    O1 - Hosts: 61.135.150.114 www.898woool.com
    O1 - Hosts: 61.135.150.114 www.qqks.com
    O1 - Hosts: 61.135.150.114 www.368idc.com
    O1 - Hosts: 61.135.150.114 www.csbaba.com
    O1 - Hosts: 61.135.150.114 www.4745.cn
    O1 - Hosts: 61.135.150.114 www.636400.com
    O1 - Hosts: 61.135.150.114 www.oursf.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.14455.com
    O1 - Hosts: 61.135.150.114 www.zheshan.net
    O1 - Hosts: 61.135.150.114 zt.aaaaasf.cn
    O1 - Hosts: 61.135.150.114 www.zt1314.cn
    O1 - Hosts: 61.135.150.114 www.zt4f.net
    O1 - Hosts: 61.135.150.114 www.zt002.com
    O1 - Hosts: 61.135.150.114 www.amir3.com
    O1 - Hosts: 61.135.150.114 www.sf1717.com
    O1 - Hosts: 61.135.150.114 www.cq333.cn
    O1 - Hosts: 61.135.150.114 www.3316.cn
    O1 - Hosts: 61.135.150.114 www.sosmir3.com
    O1 - Hosts: 61.135.150.114 www.95279.com
    O1 - Hosts: 61.135.150.114 www.sf1788.com
    O1 - Hosts: 61.135.150.114 www.4fboss.com
    O1 - Hosts: 61.135.150.114 www.45net.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.wow1314.com
    O1 - Hosts: 61.135.150.114 www.zgwow.com
    O1 - Hosts: 61.135.150.114 www.1000wow.net
    O1 - Hosts: 61.135.150.114 www.gowowsf.com
    O1 - Hosts: 61.135.150.114 www.wowsf.com
    O1 - Hosts: 61.135.150.114 www.wxwow.com
    O1 - Hosts: 61.135.150.114 520.xinwow.com
    O1 - Hosts: 61.135.150.114 www.wowhelp.cn
    O1 - Hosts: 61.135.150.114 www.800wow.com
    O1 - Hosts: 61.135.150.114 www.56wow.com
    O1 - Hosts: 61.135.150.114 www.45wow.com
    O2 - BHO: (no name) - {000FBDB5-8043-4F24-ABCC-22654DA54A22} - C:\PROGRA~1\INTERN~1\PLUGINS\Flash.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: MyLoader Class - {09BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38} - C:\Documents and Settings\All Users\Application Data\Microsoft\giudfidjg\trgjiw.dll
    O2 - BHO: netup - {0A44CDEC-87D0-4D4D-BF97-DE9AFB9B104A} - C:\WINDOWS\system32\netidp.dll
    O2 - BHO: symndis - {166DF856-08F0-4D1C-991D-7CE3DB5C26F5} - C:\WINDOWS\system32\resacd.dll
    O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5025.dll
    O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usercrd.dll
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
    O2 - BHO: SrchHook Class - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - C:\WINDOWS\system32\BarSea.dll
    O2 - BHO: UMU Class - {86450826-9507-44DC-9009-F92D2F5864EE} - C:\WINDOWS\system32\sysag.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: IEHlprObj Class - {EAACBF9E-4B91-45FF-93ED-B297093951EA} - C:\Program Files\Internet Explorer\PLUGINS\Flash_Player.dll
    O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
    O2 - BHO: (no name) - {FE32DECF-06AD-426E-9F53-3018A366B5AE} - C:\WINDOWS\system32\sys32version.dll
    O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Search Bar - {FBFF8F98-AE9D-4599-975E-E9B31E88EF04} - C:\WINDOWS\system32\BarTool.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
    O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/230?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/229?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 訪問通用網址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
    O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
    O9 - Extra 'Tools' menuitem: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
    O11 - Options group: [CDNCLIENT] 中文上網
    O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156480256970
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {EDEDED2E-A0A6-4085-BC52-A95255A96DBD} (CyImgChinaCtl Class) - http://fs3u.cyworld.com.cn/common/ac...CyImgChina.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9ED60A15-9D0B-4DBC-A213-2B71D0ADACDF}: NameServer = 202.14.67.4,202.14.67.14
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
    O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\netgr.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Network Logons (NetWorkLogons) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Distributed Application Client (SHipING) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL.EXE (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  7. 2006-11-09, 07:38 #7
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    Download this file – combofix.exe
    and save it to your desktop but DO NOT RUN IT YET.
    Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

    Code:
    "%userprofile%\desktop\combofix.exe" /wow
    Boot into safe mode by tapping the F8 key just before Windows starts to load.

    go to start --> run and copy/paste in the following:

    "%userprofile%\desktop\combofix.exe" /wow

    When finished, it shall produce a log for you. Save it and post that log in your next reply.


    also post a fresh hijackthis log
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
  8. 2006-11-12, 06:38 #8
    choppie
    choppie is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    6

    Default

    When combofix restarted my computer.... the computer got back to the normal window startup.... I had to restart the computer...

    and i dont' see any log for combofix

    here is the highjackthis file...

    Logfile of HijackThis v1.99.1
    Scan saved at 00:13, on 06-11-12
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\hijackthis\HijackThis.exe

    R3 - URLSearchHook: (no name) - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - (no file)
    R3 - URLSearchHook: Yahoo! ?u‥a|C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F3 - REG:win.ini: load=C:\WINDOWS\system\tpkIM32.exe
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: 61.135.150.114 www.8000qq.com
    O1 - Hosts: 61.135.150.114 www.800f.net
    O1 - Hosts: 61.135.150.114 www.1000sf.cn
    O1 - Hosts: 61.135.150.114 jfengsha.comfb
    O1 - Hosts: 61.135.150.114 www.1000yf.net
    O1 - Hosts: 61.135.150.114 www.159sifu.com
    O1 - Hosts: 61.135.150.114 www.9s5.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.wym.cn
    O1 - Hosts: 61.135.150.114 www.cc4f.cn
    O1 - Hosts: 61.135.150.114 mafan.net
    O1 - Hosts: 61.135.150.114 www.6688qn.net
    O1 - Hosts: 61.135.150.114 www.177z.com
    O1 - Hosts: 61.135.150.114 www.131sf.net
    O1 - Hosts: 61.135.150.114 tj.cntg.cn
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 www.china45.net
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.17mi.net
    O1 - Hosts: 61.135.150.114 www.sf8.com.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 ip94.fd4f.com
    O1 - Hosts: 61.135.150.114 www.521it.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.fwoool.cn
    O1 - Hosts: 61.135.150.114 www.5u37.net
    O1 - Hosts: 61.135.150.114 www.87sf.com
    O1 - Hosts: 61.135.150.114 ww1.swoool.com
    O1 - Hosts: 61.135.150.114 wooljsz.cn
    O1 - Hosts: 61.135.150.114 www.57wool.com
    O1 - Hosts: 61.135.150.114 www.58816.com
    O1 - Hosts: 61.135.150.114 www.spbuy.net
    O1 - Hosts: 61.135.150.114 chuanqisjsf.blwool.com
    O1 - Hosts: 61.135.150.114 www.woool188.com
    O1 - Hosts: 61.135.150.114 www.sf1260.com
    O1 - Hosts: 61.135.150.114 linf23.b12.cnwg.cn
    O1 - Hosts: 61.135.150.114 www.wooolweb.com
    O1 - Hosts: 61.135.150.114 www.yq520.net
    O1 - Hosts: 61.135.150.114 www.cs222.com
    O1 - Hosts: 61.135.150.114 www.ok22.com
    O1 - Hosts: 61.135.150.114 www.7100sf.com
    O1 - Hosts: 61.135.150.114 www.1352sf.com
    O1 - Hosts: 61.135.150.114 www.458wool.cn
    O1 - Hosts: 61.135.150.114 www.555woool.cn
    O1 - Hosts: 61.135.150.114 www.kaosf.com
    O1 - Hosts: 61.135.150.114 www.siyuwl.com
    O1 - Hosts: 61.135.150.114 www.csjsz.cn
    O1 - Hosts: 61.135.150.114 www.13177.com
    O1 - Hosts: 61.135.150.114 www.458cs.com
    O1 - Hosts: 61.135.150.114 www.5573.com
    O1 - Hosts: 61.135.150.114 www.02945.com
    O1 - Hosts: 61.135.150.114 www.pkchina.net
    O1 - Hosts: 61.135.150.114 www.5181314.com
    O1 - Hosts: 61.135.150.114 www.fknf2.com
    O1 - Hosts: 61.135.150.114 www2.yoursf.com
    O1 - Hosts: 61.135.150.114 www.paocs.com
    O1 - Hosts: 61.135.150.114 www.sfboke.com
    O1 - Hosts: 61.135.150.114 www.tt878.com
    O1 - Hosts: 61.135.150.114 ww1.woool188.com
    O1 - Hosts: 61.135.150.114 www.cs119.com
    O1 - Hosts: 61.135.150.114 www.xdwoool.net
    O1 - Hosts: 61.135.150.114 www.tt515.com
    O1 - Hosts: 61.135.150.114 www.cs176.com
    O1 - Hosts: 61.135.150.114 www.552sf.com
    O1 - Hosts: 61.135.150.114 www.ipmir.com
    O1 - Hosts: 61.135.150.114 www.898woool.com
    O1 - Hosts: 61.135.150.114 www.qqks.com
    O1 - Hosts: 61.135.150.114 www.368idc.com
    O1 - Hosts: 61.135.150.114 www.csbaba.com
    O1 - Hosts: 61.135.150.114 www.4745.cn
    O1 - Hosts: 61.135.150.114 www.636400.com
    O1 - Hosts: 61.135.150.114 www.oursf.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.14455.com
    O1 - Hosts: 61.135.150.114 www.zheshan.net
    O1 - Hosts: 61.135.150.114 zt.aaaaasf.cn
    O1 - Hosts: 61.135.150.114 www.zt1314.cn
    O1 - Hosts: 61.135.150.114 www.zt4f.net
    O1 - Hosts: 61.135.150.114 www.zt002.com
    O1 - Hosts: 61.135.150.114 www.amir3.com
    O1 - Hosts: 61.135.150.114 www.sf1717.com
    O1 - Hosts: 61.135.150.114 www.cq333.cn
    O1 - Hosts: 61.135.150.114 www.3316.cn
    O1 - Hosts: 61.135.150.114 www.sosmir3.com
    O1 - Hosts: 61.135.150.114 www.95279.com
    O1 - Hosts: 61.135.150.114 www.sf1788.com
    O1 - Hosts: 61.135.150.114 www.4fboss.com
    O1 - Hosts: 61.135.150.114 www.45net.net
    O1 - Hosts: 61.135.150.114 www.ytdj.cn
    O1 - Hosts: 61.135.150.114 www.laiba173.com
    O1 - Hosts: 61.135.150.114 www.wow1314.com
    O1 - Hosts: 61.135.150.114 www.zgwow.com
    O1 - Hosts: 61.135.150.114 www.1000wow.net
    O1 - Hosts: 61.135.150.114 www.gowowsf.com
    O1 - Hosts: 61.135.150.114 www.wowsf.com
    O1 - Hosts: 61.135.150.114 www.wxwow.com
    O1 - Hosts: 61.135.150.114 520.xinwow.com
    O1 - Hosts: 61.135.150.114 www.wowhelp.cn
    O1 - Hosts: 61.135.150.114 www.800wow.com
    O1 - Hosts: 61.135.150.114 www.56wow.com
    O1 - Hosts: 61.135.150.114 www.45wow.com
    O2 - BHO: (no name) - {000FBDB5-8043-4F24-ABCC-22654DA54A22} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: MyLoader Class - {09BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38} - C:\Documents and Settings\All Users\Application Data\Microsoft\giudfidjg\trgjiw.dll
    O2 - BHO: netup - {0A44CDEC-87D0-4D4D-BF97-DE9AFB9B104A} - C:\WINDOWS\system32\netidp.dll (file missing)
    O2 - BHO: symndis - {166DF856-08F0-4D1C-991D-7CE3DB5C26F5} - C:\WINDOWS\system32\rasacd.dll
    O2 - BHO: (no name) - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - (no file)
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O2 - BHO: (no name) - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - (no file)
    O2 - BHO: UMU Class - {86450826-9507-44DC-9009-F92D2F5864EE} - C:\WINDOWS\system32\sysag.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: browser Class - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\hnFC9Aeovz\hnFC9Aeovz_2001.dll
    O2 - BHO: IEHlprObj Class - {EAACBF9E-4B91-45FF-93ED-B297093951EA} - C:\Program Files\Internet Explorer\PLUGINS\Flash_Player.dll
    O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
    O2 - BHO: (no name) - {FE32DECF-06AD-426E-9F53-3018A366B5AE} - C:\WINDOWS\system32\sys32version.dll (file missing)
    O3 - Toolbar: Yahoo! ?u‥a|C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Search Bar - {FBFF8F98-AE9D-4599-975E-E9B31E88EF04} - C:\WINDOWS\system32\BarTool.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
    O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/230?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\Windows Live Toolbar\Components\zh-hk\msntabres.dll.mui/229?9ad630c753014fe184bad5494ea514bb
    O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 訪問通用網址 - C:\Program Files\CNNIC\Cdn\cnnic.htm
    O9 - Extra button: (no name) - {0062C9BD-B349-40DE-91A0-755F37ACD559} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java ¥Dħħ¥x - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: ???a?Woo - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O9 - Extra 'Tools' menuitem: ???a?Woo - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: AE°TQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
    O11 - Options group: [CDNCLIENT] ???a?Woo
    O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156480256970
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {EDEDED2E-A0A6-4085-BC52-A95255A96DBD} (CyImgChinaCtl Class) - http://fs3u.cyworld.com.cn/common/ac...CyImgChina.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9ED60A15-9D0B-4DBC-A213-2B71D0ADACDF}: NameServer = 202.14.67.4,202.14.67.14
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
    O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\netgr.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  9. 2006-11-12, 08:30 #9
    choppie
    choppie is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    6

    Default picked up syste.exe

    the ZoneAlarm picked this up and there's a program called "TM" kept on popping up...
  10. 2006-11-13, 07:29 #10
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    open hijackthis
    click do a system scan only
    checkmark these:R3 - URLSearchHook: (no name) - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - (no file)
    O2 - BHO: MyLoader Class - {09BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38} - C:\Documents and Settings\All Users\Application Data\Microsoft\giudfidjg\trgjiw.dll
    O2 - BHO: netup - {0A44CDEC-87D0-4D4D-BF97-DE9AFB9B104A} - C:\WINDOWS\system32\netidp.dll (file missing)
    O2 - BHO: symndis - {166DF856-08F0-4D1C-991D-7CE3DB5C26F5} - C:\WINDOWS\system32\rasacd.dll
    O2 - BHO: (no name) - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - (no file)
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O2 - BHO: (no name) - {6E1BC898-505A-44f4-BC88-BCE43016AC96} - (no file)
    O2 - BHO: UMU Class - {86450826-9507-44DC-9009-F92D2F5864EE} - C:\WINDOWS\system32\sysag.dll

    then close all browsers, and explorer windows
    and click fix checked

    reboot into safe mode
    click start> run >
    copy paste this command into the run box
    "%userprofile%\desktop\combofix.exe" /wow
    '

    if combofix is not on the desktop, this will fail
    do not mouse click or do anything while its running!

    When finished, it shall produce a log for you. Save it and post that log in your next reply.


    also post a fresh hijackthis log
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules