53 criticals, please help me (moved from XP)

litlit · 06-29-2005, 08:30 AM

Result from Ad-Aware SE, any kind pro please help me what to do? I'm noob in this. Thanks~
Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, June 28, 2005 9:31:02 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R51 21.06.2005
换换换换换换换换换换换换换换换换换换换换换换换换换?

References detected during the scan:
换换换换换换换换换换换换换换换换换换换?
IEHijacker.richfind(TAC index:7):50 total references
Softomate Toolbar(TAC index:9):1 total references
Tracking Cookie(TAC index:3):2 total references
换换换换换换换换换换换换换换换换换换换?

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-28-2005 9:31:02 PM - Scan started. (Full System Scan)

Listing running processes
换换换换换换换换换换换换换换换换换换换

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 456
ThreadCreationTime : 6-28-2005 12:22:37 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 6-28-2005 12:22:39 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 6-28-2005 12:22:40 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 6-28-2005 12:22:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 600
ThreadCreationTime : 6-28-2005 12:22:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 764
ThreadCreationTime : 6-28-2005 12:22:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 824
ThreadCreationTime : 6-28-2005 12:22:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 948
ThreadCreationTime : 6-28-2005 12:22:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 964
ThreadCreationTime : 6-28-2005 12:22:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1088
ThreadCreationTime : 6-28-2005 12:22:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1416
ThreadCreationTime : 6-28-2005 12:22:52 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:12 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1428
ThreadCreationTime : 6-28-2005 12:22:52 PM
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:13 [updsvc.exe]
FilePath : C:\Program Files\Guardware\GWPUM\
ProcessID : 1460
ThreadCreationTime : 6-28-2005 12:22:52 PM
BasePriority : Normal
FileVersion : 1, 4, 8, 52
ProductVersion : 1, 4, 8, 52
ProductName : Product Update Service
CompanyName : APIIT R&D Sdn Bhd
FileDescription : Product Update Service
InternalName : updsvc
LegalCopyright : Copyright ? 2004
OriginalFilename : updsvc.exe

#:14 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 1484
ThreadCreationTime : 6-28-2005 12:22:53 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft? Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1540
ThreadCreationTime : 6-28-2005 12:22:54 PM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright ? 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:16 [nod32krn.exe]
FilePath : C:\Program Files\Eset\
ProcessID : 1584
ThreadCreationTime : 6-28-2005 12:22:54 PM
BasePriority : Normal

#:17 [npfmntor.exe]
FilePath : C:\Program Files\Norton AntiVirus\IWP\
ProcessID : 1652
ThreadCreationTime : 6-28-2005 12:22:54 PM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright ? 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:18 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1936
ThreadCreationTime : 6-28-2005 12:22:59 PM
BasePriority : Normal
FileVersion : 5.4.4.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:19 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 1996
ThreadCreationTime : 6-28-2005 12:23:01 PM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:20 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 2016
ThreadCreationTime : 6-28-2005 12:23:01 PM
BasePriority : Normal
FileVersion : 1, 8, 54, 419
ProductVersion : 1, 8, 54, 419
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:21 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 188
ThreadCreationTime : 6-28-2005 12:23:01 PM
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:22 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1612
ThreadCreationTime : 6-28-2005 12:23:18 PM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:23 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 228
ThreadCreationTime : 6-28-2005 12:23:29 PM
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:24 [p2p networking.exe]
FilePath : C:\WINDOWS\System32\P2P Networking\
ProcessID : 1976
ThreadCreationTime : 6-28-2005 12:23:46 PM
BasePriority : Normal
FileVersion : 1, 26, 0, 10
ProductVersion : 1, 26, 0, 10
ProductName : P2P Networking
CompanyName : Joltid Ltd.
FileDescription : P2P Networking
InternalName : P2P Networking
LegalCopyright : Copyright ? 2001 - 2004 Joltid Ltd. All Rights Reserved.
LegalTrademarks : Joltid is a registered trademark of Joltid Ltd.
OriginalFilename : P2P Networking.exe

#:25 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1036
ThreadCreationTime : 6-28-2005 12:23:49 PM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : ? Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:26 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 1164
ThreadCreationTime : 6-28-2005 12:23:52 PM
BasePriority : Normal
FileVersion : 4.8.0.32
ProductVersion : 4.8.0.32
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : ? 2003-2005 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:27 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 1316
ThreadCreationTime : 6-28-2005 12:23:59 PM
BasePriority : Normal
FileVersion : 4.8.0.32
ProductVersion : 4.8.0.32
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : ? 2003-2005 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:28 [wuampkd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2020
ThreadCreationTime : 6-28-2005 12:24:03 PM
BasePriority : Normal

#:29 [cdnup.exe]
FilePath : C:\Program Files\CNNIC\Cdn\
ProcessID : 2052
ThreadCreationTime : 6-28-2005 12:24:05 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : CdnUpdate Module
FileDescription : LiveUpdate Module
InternalName : LiveUpdate
LegalCopyright : Copyright 2005
OriginalFilename : CdnUpdate.exe

#:30 [acgbsyer.exe]
FilePath : C:\windows\system32\
ProcessID : 2124
ThreadCreationTime : 6-28-2005 12:24:09 PM
BasePriority : Normal

#:31 [ishield.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2148
ThreadCreationTime : 6-28-2005 12:24:13 PM
BasePriority : Normal
FileVersion : 1.19
ProductVersion : 1.19
ProductName : iShield
CompanyName : APIIT
FileDescription : iShield - a browser monitoring application.
InternalName : iShield
LegalTrademarks : iShield is a registered trademark of GuardWare Ltd.
OriginalFilename : iShield.exe
Comments : iShield

#:32 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 2172
ThreadCreationTime : 6-28-2005 12:24:21 PM
BasePriority : Normal
FileVersion : 7.0.0813
ProductVersion : 7.0.0813
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:33 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2268
ThreadCreationTime : 6-28-2005 12:24:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:34 [jammer.exe]
FilePath : C:\PROGRA~1\ADVANC~1\POPUPJ~1\
ProcessID : 2328
ThreadCreationTime : 6-28-2005 12:24:37 PM
BasePriority : Normal

#:35 [conime.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2720
ThreadCreationTime : 6-28-2005 12:24:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Console IME
InternalName : Console
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : CONIME.EXE

#:36 [adsldial.exe]
FilePath : C:\Program Files\ZTE\ADSLDIAL\
ProcessID : 716
ThreadCreationTime : 6-28-2005 12:31:25 PM
BasePriority : Normal

#:37 [koreeasy.exe]
FilePath : C:\Documents and Settings\windows xp\My Documents\bot\KE\sin\
ProcessID : 3828
ThreadCreationTime : 6-28-2005 1:21:44 PM
BasePriority : Normal

#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2568
ThreadCreationTime : 6-28-2005 1:28:42 PM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:39 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 2180
ThreadCreationTime : 6-28-2005 1:30:28 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright ? Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
换换换换换换换换换换换换换换换换换换换
New critical objects: 0
Objects found so far: 0

Started registry scan
换换换换换换换换换换换换换换换换换换换

IEHijacker.richfind Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb00000.ietoolbar

IEHijacker.richfind Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb00000.ietoolbar.1

IEHijacker.richfind Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb00000.xbtb00000

IEHijacker.richfind Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb00000.xbtb00000.1

Softomate Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{faccc49a-4d7b-415b-8250-15c3b854e9ff}

IEHijacker.richfind Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000

IEHijacker.richfind Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : toolbar_version

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : firstTime

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : CurrentFont

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : FontSize

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : CurrentLayout

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : ToolbarIsFailed

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : TBFace

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : AutoSearch

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : msgCaption

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : corruptedMsg

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : uninstallMsg

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : updateMsg

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : autoUpdateMsg

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : versionError

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : connectionError

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : lastVersionMsg

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : contextMenuItemName

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : closeAllWindowsForUpdate

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : PopStop

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : LimitedUser

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : ErrorMsg

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : firstURL

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : serverpath

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : updateUrl

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : urlAfterUpdate

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : urlAfterUninstall

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : contextSearch

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : OpenNew

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : AutoComplete

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : KeepHistory

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : RunSearchAutomatically

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : RunSearchDragAutomatically

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : DescriptiveText

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : ShowHighlightButton

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : ShowFindButtons

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : UpdateAutomatically

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : EditWidthsearchbox1

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : #EditWidthsearchbox1#

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : #UpdateAutomatically#

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : blockPopups

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : Scope

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : OldOS

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : CountOS

IEHijacker.richfind Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-220523388-1383384898-1060284298-1003\software\xbtb00000\ietoolbar
Value : m_bWorking

Registry Scan result:
换换换换换换换换换换换换换换换换换换换
New critical objects: 51
Objects found so far: 51

Started deep registry scan
换换换换换换换换换换换换换换换换换换换

Deep registry scan result:
换换换换换换换换换换换换换换换换换换换
New critical objects: 0
Objects found so far: 51

Started Tracking Cookie scan
换换换换换换换换换换换换换换换换换换换

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : windows xp@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:windows xp@atdmt.com/
Expires : 6-28-2010 8:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : windows xp@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:windows xp@doubleclick.net/
Expires : 6-29-2005 9:47:42 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
换换换换换换换换换换换换换换换换换换换
New critical objects: 2
Objects found so far: 53

Deep scanning and examining files (C:)
换换换换换换换换换换换换换换换换换换换

Disk Scan Result for C:\
换换换换换换换换换换换换换换换换换换换
New critical objects: 0
Objects found so far: 53

Deep scanning and examining files (D:)
换换换换换换换换换换换换换换换换换换换

Disk Scan Result for D:\
换换换换换换换换换换换换换换换换换换换
New critical objects: 0
Objects found so far: 53

Deep scanning and examining files (E:)
换换换换换换换换换换换换换换换换换换换

Disk Scan Result for E:\
换换换换换换换换换换换换换换换换换换换
New critical objects: 0
Objects found so far: 53

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换换

Hosts file scan result:
换换换换换换换换换换换换换换换换换换换
1 entries scanned.
New critical objects:0
Objects found so far: 53

Performing conditional scans...
换换换换换换换换换换换换换换换换换换换

Conditional scan result:
换换换换换换换换换换换换换换换换换换换
New critical objects: 0
Objects found so far: 53

9:50:58 PM Scan Complete

Summary Of This Scan
换换换换换换换换换换换换换换换换换换换
Total scanning time:00:19:55.459
Objects scanned:104541
Objects identified:53
Objects ignored:0
New critical objects:53

hijackthis's result:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:50 PM, on 6/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Guardware\GWPUM\updsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuampkd.exe
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\windows\system32\acgbsyer.exe
C:\WINDOWS\System32\iShield.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ADVANC~1\POPUPJ~1\Jammer.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\ZTE\ADSLDIAL\adslDial.exe
C:\Documents and Settings\windows xp\My Documents\bot\KE\sin\KoreEasy.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Documents and Settings\windows xp\My Documents\My Received Files\HijackThis.exe

R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1\POPUPJ~1.DLL
O2 - BHO: EventIntercept Class - {3050CDCA-E35E-4696-A544-8B0A589CE885} - C:\WINDOWS\System32\ISIEEdit.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [renewup] C:\Program Files\CNNIC\Cdn\cdnrenew.exe
O4 - HKLM\..\Run: [acgbsyer] c:\windows\system32\acgbsyer.exe -start
O4 - HKLM\..\Run: [pumcfgp] C:\Program Files\Guardware\GWPUM\proxycfg.exe /ie
O4 - HKLM\..\Run: [iShield] C:\WINDOWS\System32\iShield.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRA~1\ADVANC~1\POPUPJ~1\Jammer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Add to White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ?D??é?í? - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra 'Tools' menuitem: ?D??é?í? - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [CDNCLIENT] ?D??é?í?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binarie...et32_EN_XP.cab
O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downloadv3.com/binarie...1041_EN_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://client.jogo.cn/download/cnnic/cdn_eng.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E4F500BF-C1A3-11D6-9697-0090961B771E} (VCR.Scan) - http://www.viruschaser.com.hk/webscan/Vcrscan.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E95018C-A664-44F2-A4B2-CA3FF41EDA2C}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{51F49968-D963-40DA-998E-1E61526DC557}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Guardware Product Update Service - APIIT R&D Sdn Bhd - C:\Program Files\Guardware\GWPUM\updsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

elf · 06-29-2005, 08:49 AM

Alright well first of all, you do not need to post an adaware log unless explicitely asked for because it is just too much irrelevant info. Secondly, you need to describe your problem some, it helps with the cleaning instructions. Thirdly, you need to post your hijack log in the security section, not the windows XP section.

We have a dedicated security team who know what they are doing. I recommend posting the problem there, and they will take care of you.

The url the section I am talking about is: www.techsupportforum.com/forumdisplay.php?f=50

Or if you rather I can simply move this thread for you.

litlit · 06-29-2005, 09:21 AM

opps, sorry. Please kindly move the thread to there, thanks

elf · 06-29-2005, 09:23 AM

No problem!

litlit · 06-29-2005, 02:24 PM

Please help, and how can I edit my post?

Ried · 06-29-2005, 05:49 PM

Hello litlit,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.

If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\windows\system32\acgbsyer.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MyWay

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: EventIntercept Class - {3050CDCA-E35E-4696-A544-8B0A589CE885} - C:\WINDOWS\System32\ISIEEdit.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\Run: [acgbsyer] c:\windows\system32\acgbsyer.exe -start
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\P2P Networking
C:\Program Files\MyWay
C:\WINDOWS\System32\ISIEEdit.dll
c:\windows\system32\acgbsyer.exe

Do a search for these and delete if found:
wuamkop.exe
wuampkd.exe
EGDACCESS_1059.dll

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

litlit · 06-30-2005, 04:43 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:35:22 PM, on 6/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Guardware\GWPUM\updsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\iShield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\windows xp\My Documents\My Received Files\HijackThis.exe

R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program

Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} -

C:\Program Files\Advanced Searchbar\toolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} -

C:\PROGRA~1\ADVANC~1\POPUPJ~1\POPUPJ~1.DLL
O2 - BHO: EventIntercept Class - {3050CDCA-E35E-4696-A544-8B0A589CE885} -

C:\WINDOWS\System32\ISIEEdit.dll
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} -

C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program

Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program

Files\Advanced Searchbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iShield] C:\WINDOWS\System32\iShield.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [pumcfgp] C:\Program Files\Guardware\GWPUM\proxycfg.exe /ie
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program

Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Add to White List -

C:\PROGRA~1\ADVANC~1\POPUPJ~1\addtolist.js
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Delete from White List -

C:\PROGRA~1\ADVANC~1\POPUPJ~1\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ?D??é?í? - {35980F6E-A137-4E50-953D-813BB8556899} -

C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra 'Tools' menuitem: ?D??é?í? - {35980F6E-A137-4E50-953D-813BB8556899} -

C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll
O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} -

C:\Program Files\Advanced Searchbar\toolbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7}

- C:\Program Files\Advanced Searchbar\toolbar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program

Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program

Files\ICQLite\ICQLite.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll
O11 - Options group: [CDNCLIENT] ?D??é?í?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} -

http://akamai.downloadv3.com/binarie...et32_EN_XP.cab
O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} -

http://akamai.downloadv3.com/binarie...1041_EN_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) -

http://client.jogo.cn/download/cnnic/cdn_eng.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl

Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} -

http://akamai.downloadv3.com/binarie...vc32_EN_XP.cab
O16 - DPF: {C9269872-E3D6-4811-8E5E-835CA8CBD0B3} -

http://akamai.downloadv3.com/binarie...1042_EN_XP.cab
O16 - DPF: {E4F500BF-C1A3-11D6-9697-0090961B771E} (VCR.Scan) -

http://www.viruschaser.com.hk/webscan/Vcrscan.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E95018C-A664-44F2-A4B2-CA3FF41EDA2C}:

NameServer = 202.188.0.133,202.188.1.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Guardware Product Update Service - APIIT R&D Sdn Bhd - C:\Program

Files\Guardware\GWPUM\updsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program

Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Ried · 06-30-2005, 10:38 AM

Hi,

Your log looks clean. Are there any more problems?

Turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Now reenable system restore. This will prevent any reinfection from any previous restore points.

**Note**

Your XP and I.E. are terribly outdated:
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. I notice your browser and XP are not up to date and this makes you susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

litlit · 06-30-2005, 11:13 AM

Thank you very much!
Wish you have all the best!!!

06-29-2005, 08:49 AM	#2 (permalink)
elf Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 7,049 OS: WinXP Pro SP3 and Windows 7 My System	Alright well first of all, you do not need to post an adaware log unless explicitely asked for because it is just too much irrelevant info. Secondly, you need to describe your problem some, it helps with the cleaning instructions. Thirdly, you need to post your hijack log in the security section, not the windows XP section. We have a dedicated security team who know what they are doing. I recommend posting the problem there, and they will take care of you. The url the section I am talking about is: www.techsupportforum.com/forumdisplay.php?f=50 Or if you rather I can simply move this thread for you. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again.

06-29-2005, 09:23 AM	#4 (permalink)
elf Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 7,049 OS: WinXP Pro SP3 and Windows 7 My System	No problem! __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again.

06-29-2005, 05:49 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,035 OS: WinXP and Vista	Hello litlit, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time). C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\windows\system32\acgbsyer.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: MyWay Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O2 - BHO: EventIntercept Class - {3050CDCA-E35E-4696-A544-8B0A589CE885} - C:\WINDOWS\System32\ISIEEdit.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe O4 - HKLM\..\Run: [acgbsyer] c:\windows\system32\acgbsyer.exe -start O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c5.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\P2P Networking C:\Program Files\MyWay C:\WINDOWS\System32\ISIEEdit.dll c:\windows\system32\acgbsyer.exe Do a search for these and delete if found: wuamkop.exe wuampkd.exe EGDACCESS_1059.dll Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-30-2005, 10:38 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,035 OS: WinXP and Vista	Hi, Your log looks clean. Are there any more problems? Turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Now reenable system restore. This will prevent any reinfection from any previous restore points. Note Your XP and I.E. are terribly outdated: It is very important that you get all of the critical updates for your Operating System and Internet Explorer. I notice your browser and XP are not up to date and this makes you susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and downloads are available at the following links: Spyware Blaster Spyware Guard IE-Spyad __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-29-2005, 09:21 AM	#3 (permalink)
litlit Registered User Join Date: Jun 2005 Posts: 5 OS: WinXP	opps, sorry. Please kindly move the thread to there, thanks

06-29-2005, 02:24 PM	#5 (permalink)
litlit Registered User Join Date: Jun 2005 Posts: 5 OS: WinXP	Please help, and how can I edit my post?

06-30-2005, 04:43 AM	#7 (permalink)
litlit Registered User Join Date: Jun 2005 Posts: 5 OS: WinXP	Logfile of HijackThis v1.99.1 Scan saved at 6:35:22 PM, on 6/29/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Guardware\GWPUM\updsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\iShield.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\windows xp\My Documents\My Received Files\HijackThis.exe R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll R3 - URLSearchHook: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1\POPUPJ~1.DLL O2 - BHO: EventIntercept Class - {3050CDCA-E35E-4696-A544-8B0A589CE885} - C:\WINDOWS\System32\ISIEEdit.dll O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [iShield] C:\WINDOWS\System32\iShield.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [pumcfgp] C:\Program Files\Guardware\GWPUM\proxycfg.exe /ie O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: Add to White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\addtolist.js O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Delete from White List - C:\PROGRA~1\ADVANC~1\POPUPJ~1\delfromlist.js O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: ?D??é?í? - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O9 - Extra 'Tools' menuitem: ?D??é?í? - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\Cdn\cdniehlp.dll O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\toolbar.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cdnns.dll O11 - Options group: [CDNCLIENT] ?D??é?í? O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binarie...et32_EN_XP.cab O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downloadv3.com/binarie...1041_EN_XP.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://client.jogo.cn/download/cnnic/cdn_eng.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binarie...vc32_EN_XP.cab O16 - DPF: {C9269872-E3D6-4811-8E5E-835CA8CBD0B3} - http://akamai.downloadv3.com/binarie...1042_EN_XP.cab O16 - DPF: {E4F500BF-C1A3-11D6-9697-0090961B771E} (VCR.Scan) - http://www.viruschaser.com.hk/webscan/Vcrscan.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{1E95018C-A664-44F2-A4B2-CA3FF41EDA2C}: NameServer = 202.188.0.133,202.188.1.5 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Guardware Product Update Service - APIIT R&D Sdn Bhd - C:\Program Files\Guardware\GWPUM\updsvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

06-30-2005, 11:13 AM	#9 (permalink)
litlit Registered User Join Date: Jun 2005 Posts: 5 OS: WinXP	Thank you very much! Wish you have all the best!!!