Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Help with HijackThis Log Help with HijackThis Log
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 04-20-2007, 08:56 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Question Help with HijackThis Log
Hi, all
Last morning, when I was using FireFox, the IE suddenly kept popping up ad windows even I seldom use IE at all. I haven't met this before. I did these things:

1. Downloaded VundoFix (v6.3.19) and removed the Vundos it found.
2. Deleted all old java versions on my computer.
3. Install the latest Java(TM) Runtime Environment 6 Update 1, later I removed it again.
4. Downloaded HijackThis (v1.99.1) and scaned the system.
5. I fixed some (missing files) in the HijackThis.

This morning, the Pop-up windows show again, but the VundoFix couldn't find anything.

The HijackThis log is here, could anybody help me? I just can't understand why it began so suddenly? I mean, I have used the computer for more than one year without reinstallation, and everything was fine.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:51 AM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\xloadnet\xloadnet.exe
C:\WINDOWS\updater.exe
C:\Program Files\Stickies\Stickies.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\SSTEM~1\javaw.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Thunderbird-Tray\TBTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\system32\hggecaa.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\iqlveiip.dll",setvm
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\SSTEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Rebgrqf] "C:\Documents and Settings\chenq\My Documents\A?pPatch\m?dtc.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://chenxichenqian.spaces.live.co...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119395166929
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162417279187
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = omrf.hsc.net.ou.edu
O17 - HKLM\Software\..\Telephony: DomainName = omrf.hsc.net.ou.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = omrf.hsc.net.ou.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Informax\Vector NTI Suite 9\Ncbi.dll
O18 - Protocol: spotfire - {0937B384-6404-4E4A-B271-F2DC6B1199FE} - C:\Program Files\Spotfire\Packages\Spotfire.Package.ClientRuntime_16.6.1374\bin\SfPackageManager.dll
O20 - Winlogon Notify: hggecaa - C:\WINDOWS\SYSTEM32\hggecaa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - c:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RAID Storage Manager Agent (RAIDStorAgent) - Dell - c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


Any advice is highly appreciated!

Qian
Last edited by Qian : 04-20-2007 at 09:03 AM.
Qian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-20-2007, 05:54 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help with HijackThis Log
1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 12:32 PM   #3 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Re: Help with HijackThis Log
sorry for the delay. Because someone has done a lot to my computer already, now the HijackThis Log is different.

It is like this:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:51 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Stickies\Stickies.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\chenq\Desktop\ProcessExplorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chenq\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16BEA311-12A2-4203-A34A-67E34CE3F392} - C:\WINDOWS\system32\kzsao.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\system32\hggecaa.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F2850397-5023-434E-A285-8A450F16E71f} - C:\WINDOWS\system32\iylrnocw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rebgrqf] "C:\Documents and Settings\chenq\My Documents\A?pPatch\m?dtc.exe"
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\RACLE~1\regsvr32.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://chenxichenqian.spaces.live.co...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119395166929
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162417279187
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = omrf.hsc.net.ou.edu
O17 - HKLM\Software\..\Telephony: DomainName = omrf.hsc.net.ou.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = omrf.hsc.net.ou.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Informax\Vector NTI Suite 9\Ncbi.dll
O18 - Protocol: spotfire - {0937B384-6404-4E4A-B271-F2DC6B1199FE} - C:\Program Files\Spotfire\Packages\Spotfire.Package.ClientRuntime_16.6.1374\bin\SfPackageManager.dll
O20 - Winlogon Notify: hggecaa - hggecaa.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - c:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RAID Storage Manager Agent (RAIDStorAgent) - Dell - c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

I just block all cookies in IE. The system seems OK, but when I decrease the privacy setting, the ads are still there.

I have another question. If i just block all the cookies, will the widows autoupdate fail?

Thank you!
Qian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 01:14 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help with HijackThis Log
Please run ComboFix & show me the resultant log
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 01:45 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Re: Help with HijackThis Log
"CHENQ" - 2007-05-09 14:34:10 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\chenq\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\auasqtbs.dll
C:\WINDOWS\system32\dkkbomdj.dll
C:\WINDOWS\system32\gorqbdda.dll
C:\WINDOWS\system32\iylrnocw.dll
C:\WINDOWS\system32\knbyddbe.dll
C:\WINDOWS\system32\lqvohsvx.dll
C:\WINDOWS\system32\odudydww.dll
C:\WINDOWS\system32\okbjiitj.dll
C:\WINDOWS\system32\pamjhfbg.dll
C:\WINDOWS\system32\tqkacyui.dll
C:\WINDOWS\system32\ukfjvqov.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\outerinfo
C:\Program Files\xloadnet
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\chenq
C:\qoobox\purity\C\DOCUME~1\chenq\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\chenq\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\chenq\APPLIC~1\SCURIT~1
C:\qoobox\purity\C\DOCUME~1\chenq\MYDOCU~1\APPATC~1
C:\qoobox\purity\C\DOCUME~1\chenq\MYDOCU~1\APPATC~1\m?dtc.exe
C:\qoobox\purity\C\Program Files\RACLE~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NM
-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))


2007-04-26 13:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
2007-04-26 11:25 60,928 --a------ C:\WINDOWS\system32\kzsao.dll
2007-04-24 13:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-04-24 12:33 281,172 --a------ C:\WINDOWS\system32\vtstu.dll.vir
2007-04-24 10:33 281,172 --a------ C:\WINDOWS\system32\ssttr.dll.vir
2007-04-24 09:33 281,172 --a------ C:\WINDOWS\system32\vtsqo.dll.vir
2007-04-24 08:33 281,172 --a------ C:\WINDOWS\system32\vtutr.dll.vir
2007-04-24 07:33 281,172 --a------ C:\WINDOWS\system32\mljge.dll.vir
2007-04-24 04:33 281,172 --a------ C:\WINDOWS\system32\vtsqn.dll.vir
2007-04-24 03:33 281,172 --a------ C:\WINDOWS\system32\mllmj.dll.vir
2007-04-24 02:33 281,172 --a------ C:\WINDOWS\system32\mljjk.dll.vir
2007-04-24 01:00 <DIR> d-------- C:\infected
2007-04-24 00:32 281,172 --a------ C:\WINDOWS\system32\pmkjh.dll.vir
2007-04-23 23:32 281,172 --a------ C:\WINDOWS\system32\mljgd.dll.vir
2007-04-23 22:32 281,172 --a------ C:\WINDOWS\system32\vturo.dll.vir
2007-04-23 21:32 281,172 --a------ C:\WINDOWS\system32\pmnll.dll.vir
2007-04-23 20:32 281,172 --a------ C:\WINDOWS\system32\pmkji.dll.vir
2007-04-23 17:32 281,172 --a------ C:\WINDOWS\system32\mlljk.dll.vir
2007-04-23 15:32 281,172 --a------ C:\WINDOWS\system32\jkkji.dll.vir
2007-04-23 09:51 281,172 --a------ C:\WINDOWS\system32\jkhfc.dll.vir
2007-04-23 09:40 <DIR> d-------- C:\WINDOWS\pss
2007-04-20 15:56 <DIR> d-------- C:\DOCUME~1\chenq\APPLIC~1\Sonic
2007-04-20 15:55 <DIR> d-------- C:\DOCUME~1\chenq\APPLIC~1\Leadertech
2007-04-20 13:24 208,998 --a------ C:\WINDOWS\system32\jryjefas.exe
2007-04-20 13:24 2,068 --a------ C:\WINDOWS\system32\aonsyxud.exe
2007-04-20 11:39 <DIR> d-------- C:\DOCUME~1\chenq\APPLIC~1\Google
2007-04-19 13:50 <DIR> d-------- C:\VundoFix Backups
2007-04-19 09:00 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-04-19 09:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
2007-04-19 08:55 2 --a------ C:\WINDOWS\system32\wtsicom.exe
2007-04-18 16:40 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-18 16:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-18 16:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-18 16:33 <DIR> d-------- C:\DOCUME~1\chenq\APPLIC~1\OverDrive
2007-04-16 15:26 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-04-16 11:06 <DIR> d-------- C:\DOCUME~1\chenq\APPLIC~1\ImgBurn
2007-04-16 10:37 <DIR> d-------- C:\DOCUME~1\chenq\APPLIC~1\CyberLink


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-27 16:53:51 -------- d-----w C:\DOCUME~1\chenq\APPLIC~1\DBDesigner4
2007-04-20 20:14:05 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-20 16:39:52 -------- d-----w C:\Program Files\Google
2007-04-19 19:17:34 10,025 ----a-w C:\WINDOWS\mozver.dat
2007-03-30 15:19:29 -------- d-----w C:\DOCUME~1\chenq\APPLIC~1\SSH
2007-03-17 13:54:31 -------- d-----w C:\DOCUME~1\chenq\APPLIC~1\Real
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-13 14:22:14 51,712 ----a-w C:\WINDOWS\wc98pp.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{16BEA311-12A2-4203-A34A-67E34CE3F392}"="C:\WINDOWS\system32\kzsao.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Stickies"="C:\\Program Files\\Stickies\\Stickies.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Rebgrqf"="\"C:\\Documents and Settings\\chenq\\My Documents\\A?pPatch\\m?dtc.exe\""
"Tair"="\"C:\\PROGRA~1\\RACLE~1\\regsvr32.exe\" -vt ndrv"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggecaa

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipwins
C:\Program Files\Ipwindows\ipwins.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tair
"C:\WINDOWS\SSTEM~1\javaw.exe" -vt ndrv


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Friday Back Up.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-09 14:40:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-09 14:42:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-09 14:42
Qian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 02:44 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help with HijackThis Log
Before fixing anything, zip/archive the following folders/files

C:\WINDOWS\system32\kzsao.dll
C:\infected

Then submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.



---------------


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  1. In the popup box that appears, copy/paste in:
    • C:\WINDOWS\system32\kzsao.dll
  2. Click the Open button.
  3. Click YES when prompted to restart your computer.

---------------


Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:
  • ErrorProtector
Please note any other programs that you dont recognize in that list in your next response


---------------


Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16BEA311-12A2-4203-A34A-67E34CE3F392}]
[-HKEY_CLASSES_ROOT\CLSID\{16BEA311-12A2-4203-A34A-67E34CE3F392}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Rebgrqf"="-
"Tair"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggecaa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipwins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tair]
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

---------------


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\WINDOWS\system32\vtstu.dll.vir
    C:\WINDOWS\system32\ssttr.dll.vir
    C:\WINDOWS\system32\vtsqo.dll.vir
    C:\WINDOWS\system32\vtutr.dll.vir
    C:\WINDOWS\system32\mljge.dll.vir
    C:\WINDOWS\system32\vtsqn.dll.vir
    C:\WINDOWS\system32\mllmj.dll.vir
    C:\WINDOWS\system32\mljjk.dll.vir
    C:\WINDOWS\system32\pmkjh.dll.vir
    C:\WINDOWS\system32\mljgd.dll.vir
    C:\WINDOWS\system32\vturo.dll.vir
    C:\WINDOWS\system32\pmnll.dll.vir
    C:\WINDOWS\system32\pmkji.dll.vir
    C:\WINDOWS\system32\mlljk.dll.vir
    C:\WINDOWS\system32\jkkji.dll.vir
    C:\WINDOWS\system32\jkhfc.dll.vir
    C:\WINDOWS\system32\jryjefas.exe
    C:\WINDOWS\system32\aonsyxud.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
    C:\WINDOWS\system32\wtsicom.exe


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. Fresh combofix log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
Last edited by sUBs : 05-09-2007 at 02:48 PM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 03:00 PM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help with HijackThis Log
The folder C:\infected appears to be empty. You can delete it if you wish.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-10-2007, 01:42 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Re: Help with HijackThis Log
I have performed the online-scan for two times. Because it is time-consuming, I had to leave it overnight. When I came back, all IE windows were gone. I had to scan for the second time. This time, I think it was over during my lunch. All IE windows were gone again. I am scanning now for the third time.

By the way, I could not find the ErrorProtector in the add/remove list. However, I found a program named Outerinfo. It is more than 500M, and I don't think I have installed it. May I just uninstall it?
Last edited by Qian : 05-10-2007 at 01:44 PM.
Qian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-10-2007, 01:45 PM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help with HijackThis Log
Please uninstall OuterInfo. It's a known baddie
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-10-2007, 04:04 PM   #10 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Re: Help with HijackThis Log
sorry, it seems I can not finish the scan today. I will have to rescan it tomorrow morning. It costs me more than 4 hours. Tomorrow I will eat my lunch with my computer.
Qian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-10-2007, 04:08 PM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help with HijackThis Log
Computers makes for bad lunch mates. :)

Instead of scanning the entire computer, have Kaspersky scan it drive, by drive
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 07:54 AM   #12 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Re: Help with HijackThis Log
This morning, the IE windows are not gone!:)

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 08:36, on 2007-05-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Stickies\Stickies.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\chenq\Desktop\ProcessExplorer\procexp.exe
C:\Documents and Settings\chenq\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rebgrqf] "C:\Documents and Settings\chenq\My Documents\A?pPatch\m?dtc.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://chenxichenqian.spaces.live.co...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119395166929
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162417279187
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = omrf.hsc.net.ou.edu
O17 - HKLM\Software\..\Telephony: DomainName = omrf.hsc.net.ou.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = omrf.hsc.net.ou.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Informax\Vector NTI Suite 9\Ncbi.dll
O18 - Protocol: spotfire - {0937B384-6404-4E4A-B271-F2DC6B1199FE} - C:\Program Files\Spotfire\Packages\Spotfire.Package.ClientRuntime_16.6.1374\bin\SfPackageManager.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - c:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RAID Storage Manager Agent (RAIDStorAgent) - Dell - c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Qian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-11-2007, 08:08 AM   #13 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 18
OS: Win XP


Re: Help with HijackThis Log<