Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

bokee.com popup & system slowdown ...pls help

Started by jonjiu , Apr 30 2006 01:57 AM

  • Please log in to reply

#1
jonjiu
Posted 30 April 2006 - 01:57 AM

jonjiu

    Member

  • Member
  • PipPip
  • 22 posts
as titled. thx!

Logfile of HijackThis v1.99.1
Scan saved at 15:53:22, on 30/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\TrojanHunter 4.5\TrojanHunter.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
D:\johnny\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AdsHlpObj Class - {49A94665-B1F5-4F05-B9C7-FB6E336E49BD} - C:\WINDOWS\system32\AdsObj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AdsObj2 Class - {7DDEA238-3E32-43FD-8223-A5E15D9666FF} - C:\WINDOWS\system32\AdsHlp2.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O2 - BHO: AdsHlpObj Class - {C74332D8-097F-41E7-8F8A-2E4D5A07A31E} - C:\WINDOWS\system32\AdsHlp.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定義面版 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108418998951
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{534FABED-21AE-4E38-BAE5-B4E6920F36D4}: NameServer = 205.252.144.28 218.102.23.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D8B5A39-D672-4C42-94D8-D44E6B4C40A0}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{766B7050-0AC3-4AEF-82CB-D8AD228A9EF3}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Armodeluxe
Posted 30 April 2006 - 02:23 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi jonjiu,

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\AdsHlp.dll"
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:

    • C:\WINDOWS\system32\AdsHlp.dll
  • Click Open.
  • Click Post.
Starting with clicking the browse button, repeat for these files:

C:\WINDOWS\system32\AdsObj.dll

C:\WINDOWS\system32\AdsHlp2.dll

Thank you!

Open HijackThis and click Scan. Put a check next to these:

O2 - BHO: AdsHlpObj Class - {49A94665-B1F5-4F05-B9C7-FB6E336E49BD} - C:\WINDOWS\system32\AdsObj.dll
O2 - BHO: AdsObj2 Class - {7DDEA238-3E32-43FD-8223-A5E15D9666FF} - C:\WINDOWS\system32\AdsHlp2.dll
O2 - BHO: AdsHlpObj Class - {C74332D8-097F-41E7-8F8A-2E4D5A07A31E} - C:\WINDOWS\system32\AdsHlp.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Close all other windows except HijackThis and click Fix Checked.

Reboot and please post a new HijackThis log. Are the popups gone now?
  • 0

#3
jonjiu
Posted 30 April 2006 - 03:33 AM

jonjiu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hi Armodeluxe,

thx ! i did what u say, except that i can't find the AdsHlp.dll. I uploaded the other 2 anyway.

here's the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 17:33:06, on 30/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\johnny\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定義面版 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108418998951
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{534FABED-21AE-4E38-BAE5-B4E6920F36D4}: NameServer = 205.252.144.28 218.102.23.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D8B5A39-D672-4C42-94D8-D44E6B4C40A0}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{766B7050-0AC3-4AEF-82CB-D8AD228A9EF3}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
jonjiu
Posted 30 April 2006 - 04:04 AM

jonjiu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
here's an update: the bokee.com ad still pop up. :whistling:
  • 0

#5
TonyKlein
Posted 30 April 2006 - 04:24 AM

TonyKlein

    Malware Expert

  • Expert
  • 642 posts
  • MVP

here's an update: the bokee.com ad still pop up. :whistling:


Hi there! :blink:

I posted: http://www.thespykil...msg4761#msg4761

See if you can find and delete those adscr.dll and adscr.dat files as well.
  • 0

#6
Armodeluxe
Posted 30 April 2006 - 11:40 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Let's take everything down with a tool. :whistling:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\Windows\System32\bocaitoolbar.dll
C:\Windows\System32\bcup.exe
C:\Windows\System32\msaddon.dll
C:\Windows\System32\msplug.dll
C:\WINDOWS\system32\AdsHlp.dll
C:\WINDOWS\system32\AdsObj.dll
C:\WINDOWS\system32\AdsHlp2.dll
C:\WINDOWS\system32\adscr.dll
C:\WINDOWS\system32\adscr.dat


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply. Let me know if you get any file not found error messages.
  • 0

#7
jonjiu
Posted 05 May 2006 - 08:12 AM

jonjiu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello, sorry about the late reply. here it goes:

there are some file not found messages inside the avenger log. pls see below:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kecwpahn

*******************

Script file located at: \??\C:\WINDOWS\pilqwtxt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\System32\bocaitoolbar.dll not found!
Deletion of file C:\Windows\System32\bocaitoolbar.dll failed!

Could not process line:
C:\Windows\System32\bocaitoolbar.dll
Status: 0xc0000034



File C:\Windows\System32\bcup.exe not found!
Deletion of file C:\Windows\System32\bcup.exe failed!

Could not process line:
C:\Windows\System32\bcup.exe
Status: 0xc0000034

File C:\Windows\System32\msaddon.dll deleted successfully.


File C:\Windows\System32\msplug.dll not found!
Deletion of file C:\Windows\System32\msplug.dll failed!

Could not process line:
C:\Windows\System32\msplug.dll
Status: 0xc0000034

File C:\WINDOWS\system32\AdsHlp.dll deleted successfully.
File C:\WINDOWS\system32\AdsObj.dll deleted successfully.
File C:\WINDOWS\system32\AdsHlp2.dll deleted successfully.
File C:\WINDOWS\system32\adscr.dll deleted successfully.
File C:\WINDOWS\system32\adscr.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




And here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:08:52, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
D:\johnny\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AdsHlpObj Class - {49A94665-B1F5-4F05-B9C7-FB6E336E49BD} - C:\WINDOWS\system32\AdsObj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AdsObj2 Class - {7DDEA238-3E32-43FD-8223-A5E15D9666FF} - C:\WINDOWS\system32\AdsHlp2.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定義面版 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108418998951
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{534FABED-21AE-4E38-BAE5-B4E6920F36D4}: NameServer = 205.252.144.28 218.102.23.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D8B5A39-D672-4C42-94D8-D44E6B4C40A0}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{766B7050-0AC3-4AEF-82CB-D8AD228A9EF3}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
jonjiu
Posted 05 May 2006 - 08:31 AM

jonjiu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
update: it pops up again ~~~ :whistling:
  • 0

#9
Armodeluxe
Posted 06 May 2006 - 05:57 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Download http://www.bleepingc...es/winpfind.php

Extract WinPFind.zip to your C:\ drive.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

#10
jonjiu
Posted 07 May 2006 - 08:49 AM

jonjiu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
thanks for your help. here's the content after scan.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

遙遙遙遙遙遙遙遙?Windows OS and Versions 遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

遙遙遙遙遙遙遙遙?Checking Selected Standard Folders 遙遙遙遙遙遙遙遙遙遙

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 16/3/2005 2:17:56 2727364 C:\WINDOWS\SYSTEM32\bgd.dll
PEC2 5/9/2001 12:00:00 41128 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 14/2/2006 9:20:14 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 7/4/2006 3:48:38 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/4/2006 3:48:38 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/8/2004 15:47:32 593920 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/8/2004 15:47:44 602624 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 5/9/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 30/4/2006 0:34:50 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 30/4/2006 0:34:50 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 30/4/2006 0:34:50 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 30/4/2006 0:34:50 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 4/8/2004 13:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/5/2006 22:29:38 S 2048 C:\WINDOWS\bootstat.dat
22/4/2006 23:51:48 H 1188 C:\WINDOWS\system32\script.bin
23/3/2006 7:17:16 S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
23/3/2006 14:15:40 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
13/3/2006 17:08:32 S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
17/3/2006 17:24:20 S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
30/3/2006 18:03:34 S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
7/5/2006 22:29:24 H 8192 C:\WINDOWS\system32\config\default.LOG
7/5/2006 22:30:16 H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/5/2006 22:29:38 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
7/5/2006 22:34:50 H 102400 C:\WINDOWS\system32\config\software.LOG
7/5/2006 22:35:42 H 933888 C:\WINDOWS\system32\config\system.LOG
23/4/2006 3:02:50 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
6/4/2006 3:31:10 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\5f1e0866-7891-47c7-b4f2-4d18909fa712
6/4/2006 3:31:10 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/5/2006 22:28:42 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/8/2004 15:48:06 64000 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 1/4/2003 16:47:50 6652928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 4/8/2004 15:48:06 538624 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/8/2004 15:48:06 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 4/8/2004 15:48:06 128512 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/8/2004 15:48:06 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/8/2004 15:48:06 147968 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 24/1/2003 0:11:48 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 4/8/2004 15:48:06 356864 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/8/2004 15:48:06 120320 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/8/2004 15:48:06 379392 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/8/2004 15:48:06 66048 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 5/9/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/8/2004 15:48:06 600064 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 5/9/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/8/2004 15:48:06 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/8/2004 15:48:06 250880 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 4/8/2004 15:48:06 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/8/2004 15:48:06 108032 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 4/8/2004 15:48:06 283648 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 5/9/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/8/2004 15:48:06 92160 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/8/2004 15:48:06 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/5/2005 4:16:36 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/9/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/9/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 5/9/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26/5/2005 4:16:36 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 24/1/2003 0:11:48 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl
Intel Corporation 24/1/2003 0:11:48 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\igfxcpl.cpl

遙遙遙遙遙遙遙遙?Checking Selected Startup Folders 遙遙遙遙遙遙遙遙遙遙?

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/2/2005 5:24:52 HS 84 C:\Documents and Settings\All Users.WINDOWS\「開始」功能表\程式集\啟動\desktop.ini
15/2/2005 12:29:26 1730 C:\Documents and Settings\All Users.WINDOWS\「開始」功能表\程式集\啟動\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
14/2/2005 20:52:00 HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
1/3/2005 21:27:36 2344 C:\Documents and Settings\All Users.WINDOWS\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
15/2/2005 5:24:52 HS 84 C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
14/2/2005 20:52:00 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

遙遙遙遙遙遙遙遙?Checking Selected Registry Keys 遙遙遙遙遙遙遙遙遙遙遙?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{454F08EA-A099-4353-834C-8A66147D4A0F}
= C:\Program Files\Tencent\QQ\qdshm.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
[開始] 功能表連接 = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{454F08EA-A099-4353-834C-8A66147D4A0F}
= C:\Program Files\Tencent\QQ\qdshm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49A94665-B1F5-4F05-B9C7-FB6E336E49BD}
AdsHlpObj Class = C:\WINDOWS\system32\AdsObj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DDEA238-3E32-43FD-8223-A5E15D9666FF}
AdsObj2 Class = C:\WINDOWS\system32\AdsHlp2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}
ST = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
每日小秘訣(&T) = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN : C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
SoundMan SOUNDMAN.EXE
AGRSMMSG AGRSMMSG.exe
BluetoothAuthenticationAgent rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
BigDog303 C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
THGuard "C:\Program Files\TrojanHunter 4.5\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ICQ Lite
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command C:\Program Files\ICQLite\ICQLite.exe -minimize
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command C:\Program Files\ICQLite\ICQLite.exe -minimize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnappau
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnappau
hkey HKLM
command "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-tw\msnappau.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnappau
hkey HKLM
command "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-tw\msnappau.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Steam
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Steam
hkey HKCU
command C:\Program Files\Steam\Steam.exe -silent
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Steam
hkey HKCU
command C:\Program Files\Steam\Steam.exe -silent
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


遙遙遙遙遙遙遙遙遙遙遙遙 Scan Complete 遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/5/2006 22:41:28
  • 0

#11
Armodeluxe
Posted 07 May 2006 - 12:04 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Let's give it a try now. Since you already have Avenger, skip step 1.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\Windows\System32\bocaitoolbar.dll
C:\Windows\System32\bcup.exe
C:\Windows\System32\msaddon.dll
C:\Windows\System32\msplug.dll
C:\WINDOWS\system32\AdsHlp.dll
C:\WINDOWS\system32\AdsObj.dll
C:\WINDOWS\system32\AdsHlp2.dll
C:\WINDOWS\system32\adscr.dll
C:\WINDOWS\system32\adscr.dat

Folders to delete:

C:\program files\blogmark

Registry keys to delete:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49A94665-B1F5-4F05-B9C7-FB6E336E49BD}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DDEA238-3E32-43FD-8223-A5E15D9666FF}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\blogmark
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF4D0BCA-6FE4-4FA2-BEBE-87A72B3B77F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49A94665-B1F5-4F05-B9C7-FB6E336E49BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DDEA238-3E32-43FD-8223-A5E15D9666FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BCCommunication.HTTPAPI
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BCCommunication.HTTPAPI.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BoCaiToolBar.StockBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BoCaiToolBar.StockBar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DA2EE61-6399-4C39-AEB9-0D990E610D29}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4DA2EE61-6399-4C39-AEB9-0D990E610D29}
HKEY_LOCAL_MACHINE\SOFTWARE\BlogChina

Registry values to delete:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | AboutSys
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | AboutSys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#12
jonjiu
Posted 26 May 2006 - 10:45 PM

jonjiu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi, this is the avenger log , followed by the new hijackthis log. thx for your help!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\so^mtikw

*******************

Script file located at: \??\C:\Program Files\weedkbmj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\System32\bocaitoolbar.dll not found!
Deletion of file C:\Windows\System32\bocaitoolbar.dll failed!

Could not process line:
C:\Windows\System32\bocaitoolbar.dll
Status: 0xc0000034



File C:\Windows\System32\bcup.exe not found!
Deletion of file C:\Windows\System32\bcup.exe failed!

Could not process line:
C:\Windows\System32\bcup.exe
Status: 0xc0000034

File C:\Windows\System32\msaddon.dll deleted successfully.


File C:\Windows\System32\msplug.dll not found!
Deletion of file C:\Windows\System32\msplug.dll failed!

Could not process line:
C:\Windows\System32\msplug.dll
Status: 0xc0000034



File C:\WINDOWS\system32\AdsHlp.dll not found!
Deletion of file C:\WINDOWS\system32\AdsHlp.dll failed!

Could not process line:
C:\WINDOWS\system32\AdsHlp.dll
Status: 0xc0000034

File C:\WINDOWS\system32\AdsObj.dll deleted successfully.
File C:\WINDOWS\system32\AdsHlp2.dll deleted successfully.
File C:\WINDOWS\system32\adscr.dll deleted successfully.
File C:\WINDOWS\system32\adscr.dat deleted successfully.
Folder C:\program files\blogmark deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49A94665-B1F5-4F05-B9C7-FB6E336E49BD} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DDEA238-3E32-43FD-8223-A5E15D9666FF} deleted successfully.


Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\blogmark not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\blogmark failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF4D0BCA-6FE4-4FA2-BEBE-87A72B3B77F1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49A94665-B1F5-4F05-B9C7-FB6E336E49BD} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DDEA238-3E32-43FD-8223-A5E15D9666FF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BCCommunication.HTTPAPI deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BCCommunication.HTTPAPI.1 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BoCaiToolBar.StockBar not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BoCaiToolBar.StockBar failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BoCaiToolBar.StockBar.1 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BoCaiToolBar.StockBar.1 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DA2EE61-6399-4C39-AEB9-0D990E610D29} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DA2EE61-6399-4C39-AEB9-0D990E610D29} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4DA2EE61-6399-4C39-AEB9-0D990E610D29} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4DA2EE61-6399-4C39-AEB9-0D990E610D29} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\BlogChina deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|AboutSys deleted successfully.


Could not delete registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|AboutSys
Deletion of registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|AboutSys failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 12:43:44, on 27/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\johnny\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegBar] regsvr32.exe /u C:\progra~1\blogmark\bocaitoolbar.dll /s /i /n
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定義面版 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108418998951
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{534FABED-21AE-4E38-BAE5-B4E6920F36D4}: NameServer = 205.252.144.28 218.102.23.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D8B5A39-D672-4C42-94D8-D44E6B4C40A0}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{766B7050-0AC3-4AEF-82CB-D8AD228A9EF3}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP