Hi, there are lots of ads pop up when I use my IE. I tried some anti-virus softwares but could not stop it. I saw there is a web nexus network installed on the software list, but I failed to remove it. It's really a headache.
Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 15:23:03, on 2006-5-21
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\1XConfig.exe
C:\WINNT\svchost.exe
C:\Program Files\Outlook Express\winlass.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\conime.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\301002588\Desktop\HijackThis.exe

O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\KakaTool.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 音频驱动器\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IESAddr] RunDll32 "C:\WINNT\Downlo~1\Gladiator.dll",Boot
O4 - HKLM\..\Run: [res] C:\WINNT\system32\res.exe
O4 - HKLM\..\Run: [spoolsv] C:\WINNT\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [CdnCtr] X
X

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [rundll32] C:\WINNT\system32\IEXPLORER.EXE
O4 - HKLM\..\Run: [svc] C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [winlass] C:\Program Files\Outlook Express\winlass.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [webacc] C:\WINNT\webacc.exe
O4 - HKCU\..\Run: [svc] C:\WINNT\svchost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com/?u=RSTB (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED6A6B59-F9C8-451A-BA0A-B0A877C410D4}: NameServer = 202.96.209.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\njsdexts.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\Program Files\blackice\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Distributed File Controller (dfcsvc) - Unknown owner - NTOSA32.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\Program Files\blackice\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

This post has been edited by Neo huang: May 21 2006, 01:34 AM

Click here to download ewido anti-malware - it is a trial version of the program.

• Install ewido.
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen.

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed. Then:

• Click on scanner
• Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.

Thank you Daemon. Below is the new HJT file after running the ewido. The pop up ads decreased frequence but still exists. (Note: This HJT file was runned around 24h after the ewido running, apprarently the mal ads comes back again during the 24h)

Logfile of HijackThis v1.99.1
Scan saved at 19:45:55, on 2006-5-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\blackice\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\svchost.exe
C:\Program Files\Outlook Express\winlass.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINNT\system32\conime.exe
C:\WINNT\system32\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\baigoo\bgoomain.exe
C:\Program Files\hxtyzast\newweb10213.EXE
C:\Program Files\hxtyzast\601027.exe
C:\DOCUME~1\301002~1\LOCALS~1\Temp\GLJ14.tmp
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\hxtyzast\setup.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\cmd.exe
C:\Documents and Settings\301002588\Desktop\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr1.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr1.dll
O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINNT\system32\wmpdrm.dll
O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_4545.dll
O2 - BHO: CAISHOW TOOLBAR - {3AF40CB8-B3BA-4E2D-8968-4BF8DB172997} - C:\Program Files\CaiShow Tech\CaiShow\BrowerHelper.dll
O2 - BHO: 网络加速 - {5673A7C0-95CC-4646-BB07-3BD71234CEF9} - C:\WINNT\system32\MicrosoftNet.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\System32\stdup.dll
O2 - BHO: bg - {7BDAF75A-0D6F-4F50-AFE9-333D08DF4005} - C:\Program Files\baigoo\BGooBHO.dll
O2 - BHO: BHelper - {8A4280AD-9B37-4922-A51D-73F3C3A32AF7} - C:\WINNT\system32\msibm\cfsbho.dll
O2 - BHO: NewWeb Controller - {9ACEEE30-143F-471A-AA45-72B061FE7D60} - C:\WINNT\system32\WinSC.dll
O2 - BHO: estAliveObj Class - {A2B7A0F0-B697-4A71-8D91-43443F57D7BB} - C:\WINNT\estAlive.dll
O2 - BHO: HBObject Class - {AE22AFE5-1EF4-4D25-9E23-D2825FB17DA1} - C:\PROGRA~1\HBClient\hbhelper.dll
O2 - BHO: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\Progra~1\Baidu\bar\BaiDuBar.dll
O2 - BHO: Webacc - {CAC068F3-A608-406B-8581-458788A67694} - C:\WINNT\system32\svchost.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\CoolWebsite\QuickLink.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\KakaTool.dll
O3 - Toolbar: 百度超级搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\Progra~1\Baidu\bar\BaiDuBar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 音频驱动器\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IESAddr] RunDll32 "C:\WINNT\Downlo~1\Gladiator.dll",Boot
O4 - HKLM\..\Run: [res] C:\WINNT\system32\res.exe
O4 - HKLM\..\Run: [spoolsv] C:\WINNT\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [CdnCtr] X
X

O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [rundll32] C:\WINNT\system32\IEXPLORER.EXE
O4 - HKLM\..\Run: [svc] C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [winlass] C:\Program Files\Outlook Express\winlass.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [bgoomain.exe] C:\PROGRA~1\baigoo\bgoomain.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDAT\Update.exe
O4 - HKLM\..\Run: [RichMedia] C:\WINNT\system32\Rundll32.exe "C:\PROGRA~1\HBClient\hbhelper.dll",WaitWindows
O4 - HKLM\..\Run: [mscfs] RUNDLL32 C:\WINNT\system32\msibm\cfsys.dll,cfs
O4 - HKLM\..\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [webacc] C:\WINNT\webacc.exe
O4 - HKCU\..\Run: [svc] C:\WINNT\svchost.exe
O4 - HKCU\..\Run: [pbmini] C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe
O4 - HKCU\..\Run: [caishowmanage] C:\Program Files\CaiShow Tech\CaiShow\UpdateManager.EXE
O4 - Startup: 播霸网络电视.lnk = C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStarter.exe
O4 - Startup: 划词搜索.lnk = C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: >>彩信发送<< - res://C:\Program Files\MMSAssist\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: 用炫彩图铃发送该图片 - C:\Program Files\CaiShow Tech\CaiShow\SendMMS.htm
O8 - Extra context menu item: 百度-搜索MP3 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度-搜索图片 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度-搜索新闻 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 百度-搜索歌词 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDULYRIC.HTM
O8 - Extra context menu item: 百度-搜索网页 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度-搜索贴吧 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDUPOST.HTM
O8 - Extra context menu item: 百度-词典搜索 - res://C:\Progra~1\Baidu\bar\BaiDuBar.dll/BAIDU_DIC.HTM
O9 - Extra button: 实用网址导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\CoolWebsite\QuickLink.dll
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com/?u=RSTB (file missing)
O11 - Options group: [TBH] SOSO AddressBar Search
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED6A6B59-F9C8-451A-BA0A-B0A877C410D4}: NameServer = 202.96.209.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O20 - Winlogon Notify: Nls - C:\WINNT\system32\m8nq0i55e8.dll
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\System32\stdup.dll
O21 - SSODL: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\Program Files\blackice\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Distributed File Controller (dfcsvc) - Unknown owner - NTOSA32.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\Program Files\blackice\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

This post has been edited by Neo huang: May 22 2006, 05:50 AM

yes, there is more to do. Please post the ewido log I requested.

Hi Daemon, This is the latest HJK file and ewido report

Logfile of HijackThis v1.99.1
Scan saved at 11:16:11, on 2006-5-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\blackice\blackd.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\ServeHost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SearchNet\SearchNet.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
D:\data folder\Others\HijackThis.exe

O2 - BHO: wmpdrm - {0E674588-66B7-4E19-9D0E-2053B800F69F} - C:\WINNT\system32\wmpdrm.dll (file missing)
O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: std software - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\KakaTool.dll
O3 - Toolbar: 实用搜索 - {15ADF205-4C54-4cfe-AC88-1EA0BA6D06A0} - C:\Program Files\ScanToolbar\ScanBar.dll (file missing)
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 音频驱动器\stacmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mscfs] RUNDLL32 C:\WINNT\system32\msibm\cfsys.DLL,cfs
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [Desktop] C:\WINNT\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [IESAddr] Null
O4 - HKLM\..\Run: [i5gj3] RunDll32 "C:\WINNT\Downlo~1\i5gj3.dll",Run
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [spoolsv] C:\WINNT\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe "C:\PROGRA~1\CNNIC\Cdn\cdnspie.dll,ExecFilter solo"
O8 - Extra context menu item: &RSDN Search - res://C:\Program Files\ScanToolbar\ScanBar.dll/GoRSDN.dll.htm
O9 - Extra button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com/?u=RSTB (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O20 - Winlogon Notify: StillImage - C:\WINNT\system32\ir2ol5f31.dll
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\Program Files\blackice\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Distributed File Controller (dfcsvc) - Unknown owner - NTOSA32.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\Program Files\blackice\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Log - 北京中搜在线软件有限公司 - C:\WINNT\system32\ServeHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:08:12, 2006-5-23
+ Report-Checksum: 42055BF3

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\GoRSDN.ContextItem -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\GoRSDN.ContextItem\CLSID -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\GoRSDN.ContextItem\CurVer -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\GoRSDN.ContextItem.1 -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Pugi.PugiObj -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Pugi.PugiObj\CLSID -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Pugi.PugiObj\CurVer -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Pugi.PugiObj.1 -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731} -> Adware.Generic : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : Cleaned with backup
[1212] C:\WINNT\system32\sb2res.dll -> Adware.Look2Me : Error during cleaning
[1332] C:\WINNT\system32\sb2res.dll -> Adware.Look2Me : Error during cleaning
C:\WINNT\system32\wbem\~tmp00001.exe -> Adware.AdHelper : Cleaned with backup
C:\WINNT\system32\spsinv.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\utiime.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\msicn\plugins\lup.dll -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\msicn\plugins\bm.dll -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\msicn\plugins\as.dll -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__ctf.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__mvq.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__cn.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__bt.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\mvq.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\cn.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\plugins\bt.emm -> Adware.CFS : Cleaned with backup
C:\WINNT\system32\1116\ntjdo\__efmfuf_po_sfcppu__ntjcn.emm -> Adware.AllSum : Cleaned with backup
C:\WINNT\system32\1116\tzt\xnqesn.emm -> Adware.BHO : Cleaned with backup
C:\Program Files\ScanToolbar\ScanBar.dll -> Adware.MyTool : Cleaned with backup


::Report End


also this is the ewido logfile
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002

This post has been edited by Neo huang: May 22 2006, 09:20 PM

OK do this for me next. Please download Atribune's Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

Also, go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINNT\system32\ServeHost.exe

Click on the submit button. Please post the results in your next reply.

Hi Daemon, thanks for your instructions and below is the updated HJK file and my computer seems to be cleanned. No pop up ads any more.

Logfile of HijackThis v1.99.1
Scan saved at 21:16:06, on 2006-5-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\blackice\blackd.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\ServeHost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\SearchNet\SearchNet.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\data folder\Others\HijackThis.exe

O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: (no name) - {2A0176FE-008B-4706-90F5-BBA532A49731}? - (no file)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\KakaTool.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 音频驱动器\stacmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mscfs] RUNDLL32 C:\WINNT\system32\msibm\cfsys.DLL,cfs
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [Desktop] C:\WINNT\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [IESAddr] Null
O4 - HKLM\..\Run: [i5gj3] RunDll32 "C:\WINNT\Downlo~1\i5gj3.dll",Run
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [spoolsv] C:\WINNT\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe "C:\PROGRA~1\CNNIC\Cdn\cdnspie.dll,ExecFilter solo"
O8 - Extra context menu item: &RSDN Search - res://C:\Program Files\ScanToolbar\ScanBar.dll/GoRSDN.dll.htm
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com/?u=RSTB (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O21 - SSODL: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\Program Files\blackice\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Distributed File Controller (dfcsvc) - Unknown owner - NTOSA32.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\Program Files\blackice\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Log - 北京中搜在线软件有限公司 - C:\WINNT\system32\ServeHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


----------------------------------------------------------------------
And the Look2me-destroyer file:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 2006-5-24 21:04:20

Infected! C:\WINNT\system32\f8l00i3me8.dll
Infected! C:\WINNT\system32\wqweb.dll
Infected! C:\WINNT\system32\sb2res.dll
Infected! C:\WINNT\system32\ssobject.dll
Infected! C:\WINNT\system32\hr6605jse.dll
Infected! C:\WINNT\system32\f8l00i3me8.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\f8l00i3me8.dll
C:\WINNT\system32\f8l00i3me8.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\wqweb.dll
C:\WINNT\system32\wqweb.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\sb2res.dll
C:\WINNT\system32\sb2res.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\ssobject.dll
C:\WINNT\system32\ssobject.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\hr6605jse.dll
C:\WINNT\system32\hr6605jse.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\f8l00i3me8.dll
C:\WINNT\system32\f8l00i3me8.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8EA11E7C-239B-448F-9CFF-F3D9C4AA5570}"
HKCR\Clsid\{8EA11E7C-239B-448F-9CFF-F3D9C4AA5570}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{296F7F0E-F060-4751-AD67-F51679BE2123}"
HKCR\Clsid\{296F7F0E-F060-4751-AD67-F51679BE2123}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{25ED4608-8C5C-4658-B08D-C553C220589E}"
HKCR\Clsid\{25ED4608-8C5C-4658-B08D-C553C220589E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{99A388C9-7359-46C3-8BBC-14DDAEFD3D7B}"
HKCR\Clsid\{99A388C9-7359-46C3-8BBC-14DDAEFD3D7B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8ADD5CF8-0EF9-49FB-A918-C9B64F5689E6}"
HKCR\Clsid\{8ADD5CF8-0EF9-49FB-A918-C9B64F5689E6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B0C086CB-5968-4613-9FD8-DB30A841E164}"
HKCR\Clsid\{B0C086CB-5968-4613-9FD8-DB30A841E164}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CB16F48A-B793-4FEB-AE07-1276FF4D11E9}"
HKCR\Clsid\{CB16F48A-B793-4FEB-AE07-1276FF4D11E9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E45285CE-0702-4EAA-BC9B-172EA6BD992A}"
HKCR\Clsid\{E45285CE-0702-4EAA-BC9B-172EA6BD992A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C08DC0C9-12B9-4A38-B6B6-CD6FD32D5519}"
HKCR\Clsid\{C08DC0C9-12B9-4A38-B6B6-CD6FD32D5519}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DF2505AA-1B05-432A-B94A-A6CC9E641E1F}"
HKCR\Clsid\{DF2505AA-1B05-432A-B94A-A6CC9E641E1F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9C060703-2C5E-4DD5-B02E-AB957D68C387}"
HKCR\Clsid\{9C060703-2C5E-4DD5-B02E-AB957D68C387}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{406608C7-38A4-4624-A927-139E6D7D2942}"
HKCR\Clsid\{406608C7-38A4-4624-A927-139E6D7D2942}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0C7C23EF-A848-485B-873C-0ED954731014}"
HKCR\Clsid\{0C7C23EF-A848-485B-873C-0ED954731014}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}"
HKCR\Clsid\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A57E074F-56D8-4A33-8112-AAC9693AA909}"
HKCR\Clsid\{A57E074F-56D8-4A33-8112-AAC9693AA909}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{91D43D46-DE0D-44C9-9F40-ED7415E2D7A4}"
HKCR\Clsid\{91D43D46-DE0D-44C9-9F40-ED7415E2D7A4}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


---------------------------------------------
The Jotti's scanner results :

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

--------------------------------------------------------------
and the Jotti's statistics at the bottom of the page:

Scanner Malware name
AntiVir Trojan/PSW.Hazif.A.2
ArcaVir X
Avast Win32:Prostor
AVG Antivirus X
BitDefender Trojan.PWS.Prostor.B
ClamAV X
Dr.Web Trojan.PWS.Prostor
F-Prot Antivirus X
Fortinet CimgaKit.F!tr
Kaspersky Anti-Virus Trojan-PSW.Win32.Prostor.c
NOD32 probably unknown NewHeur_PE
Norman Virus Control W32/Prostor.I
UNA X
VirusBuster X
VBA32 Trojan.PWS.Ymagic


Again, thank you for your time and expertise

This post has been edited by Neo huang: May 24 2006, 07:37 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: (no name) - {2A0176FE-008B-4706-90F5-BBA532A49731}? - (no file)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O3 - Toolbar: ???????? - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\KakaTool.dll
O4 - HKLM\..\Run: [mscfs] RUNDLL32 C:\WINNT\system32\msibm\cfsys.DLL,cfs
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [IESAddr] Null
O4 - HKLM\..\Run: [i5gj3] RunDll32 "C:\WINNT\Downlo~1\i5gj3.dll",Run
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O21 - SSODL: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O23 - Service: Distributed File Controller (dfcsvc) - Unknown owner - NTOSA32.EXE (file missing)

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, find, zip and send this file:

C:\WINNT\system32\ServeHost.exe

to this e-mail address including a link to this thread in the body of the email.

This is the new HJK file. And I sent the requested file to you. thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:47:53, on 2006-5-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\blackice\blackd.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\ServeHost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SearchNet\SearchNet.exe
D:\data folder\Others\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
O2 - BHO: (no name) - {2A0176FE-008B-4706-90F5-BBA532A49731}? - (no file)
O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 音频驱动器\stacmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Desktop] C:\WINNT\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [spoolsv] C:\WINNT\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [ExFilter] Rundll32.exe "C:\PROGRA~1\CNNIC\Cdn\cdnspie.dll,ExecFilter solo"
O8 - Extra context menu item: &RSDN Search - res://C:\Program Files\ScanToolbar\ScanBar.dll/GoRSDN.dll.htm
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra 'Tools' menuitem: 彩E精灵设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra button: 访问卡卡社区 - {FF2DE7A6-ECB1-4CBC-9C0E-D92A9E66E445} - http://www.ikaka.com/?u=RSTB (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://crd.home.ge.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = e2k.ad.ge.com
O21 - SSODL: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINNT\SYSTEM32\stdup.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\Program Files\blackice\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Distributed File Controller (dfcsvc) - Unknown owner - NTOSA32.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\Program Files\blackice\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Log - 北京中搜在线软件有限公司 - C:\WINNT\system32\ServeHost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Could you resend - it got blocked the first time.

Also, go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINNT\SYSTEM32\stdup.dll

Click on the submit button. Please post the results in your next reply.

The file you sent seems to be OK. Please post the results for the other one.

Hi Daemon, For some windows error, I have my computer reinstalled and please close this case. thank you very much for your time and efforts.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.