[leobb]

Guess i hav visited some site with virus
here is my hjtlog
thank you
Logfile of HijackThis v1.99.1
Scan saved at 20:04:08, on 18/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\mshostsr.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\zts2.exe
D:\WINDOWS\System32\winrar.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\wlzs.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\ms.exe
D:\WINDOWS\System32\heysgj.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\east\SVCH0ST.EXE
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Documents and Settings\leobb\Desktop\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\Program Files\real\atloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E42222A2-B6E6-4242-A943-CDC0415AD763} - D:\WINDOWS\system32\3721.8.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: 毞狟刲坰 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - D:\WINDOWS\Downloaded Program Files\iebar23.0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adx.exe] D:\Program Files\real\adx.exe
O4 - HKLM\..\Run: [mhs2] D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe
O4 - HKLM\..\Run: [rxzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe
O4 - HKLM\..\Run: [zts2] D:\DOCUME~1\leobb\LOCALS~1\Temp\zts2.exe
O4 - HKLM\..\Run: [wlzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\wlzs.exe
O4 - HKLM\..\Run: [WindowsXP] D:\DOCUME~1\leobb\LOCALS~1\Temp\ms.exe
O4 - HKLM\..\Run: [ybgxir] D:\WINDOWS\System32\heysgj.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [myZt] D:\WINDOWS\east\SVCH0ST.EXE
O4 - Startup: Hyalo-ToDo by adni18.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: 使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 建立行動最愛 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .TIF: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...RdxIE601_tw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159436673217
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA6F7AC-FF1D-4F8C-8F66-BB6CADE8F4AD}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 533931M.BMP
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GrayPigeonServer - Unknown owner - D:\WINDOWS\G_Server2006.exe
O23 - Service: Gray_Pigeon_Server1.23 (GrayPigeonServer1.23) - Unknown owner - D:\WINDOWS\G_Server1.23.exe
O23 - Service: GrayPigeon_Hacker.com.cn - Unknown owner - D:\WINDOWS\Hacker.com.cn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Provisioning Transaction Service (ttt_13) - Unknown owner - D:\WINDOWS\System32\winrar.exe

[Advertisements]

Download AVG Anti-Spyware from http://www.ewido.net/en/download/ and save that file to your desktop. Note: This is NOT the Anti Virus from AVG.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
o Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
o Select "Automatically generate report after every scan"
o Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
5. If you have any infections you will be prompted. Then select "Apply all actions."
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the log from AVG and a new HiJack log

[MFDnSC]

Download AVG Anti-Spyware from http://www.ewido.net/en/download/ and save that file to your desktop. Note: This is NOT the Anti Virus from AVG.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
o Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
o Select "Automatically generate report after every scan"
o Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
5. If you have any infections you will be prompted. Then select "Apply all actions."
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the log from AVG and a new HiJack log

[leobb]

thank you for your kind attention

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:45:59 AM 12/19/2006

+ Scan result:



D:\Documents and Settings\leobb\Local Settings\Temp\4\cdnaux.dll -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\4\cdnforie.dll -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\4\cdnunins.exe -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\7\cdnaux.dll -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\7\cdnforie.dll -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\7\cdnunins.exe -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\E\cdnaux.dll -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\E\cdnunins.exe -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Program Files\CNNIC\Cdn\cdnaux.dll -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Program Files\CNNIC\Cdn\cdnunins.exe -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\4\cdnins.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\7\cdnins.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\E\cdnins.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\4H2J8H6N\j[1].exe/DeskUn.exe -> Adware.WSearch : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\4H2J8H6N\j[1].exe/Mrup.exe -> Adware.WSearch : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\4H2J8H6N\j[1].exe/deskipn.dll.zgx -> Adware.WSearch : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\j[1].exe/DeskUn.exe -> Adware.WSearch : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\j[1].exe/Mrup.exe -> Adware.WSearch : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\j[1].exe/deskipn.dll.zgx -> Adware.WSearch : Cleaned with backup (quarantined).
D:\WINDOWS\system32\windows.exe/DeskUn.exe -> Adware.WSearch : Cleaned with backup (quarantined).
D:\WINDOWS\system32\windows.exe/Mrup.exe -> Adware.WSearch : Cleaned with backup (quarantined).
D:\WINDOWS\system32\windows.exe/deskipn.dll.zgx -> Adware.WSearch : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\4H2J8H6N\j[1].exe/Run.dll.zgx -> Adware.Zhongsou : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\4H2J8H6N\j[1].exe/fshook.dll.zgx -> Adware.Zhongsou : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\j[1].exe/Run.dll.zgx -> Adware.Zhongsou : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\j[1].exe/fshook.dll.zgx -> Adware.Zhongsou : Cleaned with backup (quarantined).
D:\WINDOWS\system32\windows.exe/Run.dll.zgx -> Adware.Zhongsou : Cleaned with backup (quarantined).
D:\WINDOWS\system32\windows.exe/fshook.dll.zgx -> Adware.Zhongsou : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\OU50AN9M\gz[1].exe -> Backdoor.Hupigon.aqw : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\WRZZYKP5\gz[1].exe -> Backdoor.Hupigon.aqw : Cleaned with backup (quarantined).
D:\WINDOWS\G_Server2006.DLL -> Backdoor.Hupigon.aqw : Cleaned with backup (quarantined).
D:\WINDOWS\G_Server2006.exe -> Backdoor.Hupigon.aqw : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\gz[1].exe -> Backdoor.Hupigon.diu : Cleaned with backup (quarantined).
D:\WINDOWS\G_Server1.23.exe -> Backdoor.Hupigon.diu : Cleaned with backup (quarantined).
D:\WINDOWS\system32\mshelpbak.scr -> Backdoor.Sentry.15 : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\OU50AN9M\good[1].htm -> Downloader.Agent.m : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\good[1].htm -> Downloader.Agent.m : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\YRY3QPIZ\good[1].htm -> Downloader.Agent.m : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\6MAHDTG6\CAYZ8LQ7.php -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\EBMFULI7\1677[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\OU50AN9M\1677[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\OU50AN9M\1677[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\OU50AN9M\popup_code[1].php -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\SXSP6N0D\popup_code[1].php -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\TCXLNTTF\popupjs[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\1677[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\VWNB64JR\popupjs[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\WRZZYKP5\1677[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\YRY3QPIZ\CAEV8XO9.php -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\SXSP6N0D\kehu[1].htm -> Downloader.Psyme.de : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\truF9.tmp -> Downloader.Small.ebh : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\truFB.tmp -> Downloader.Small.ebh : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\4\cdnprot.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\7\cdnprot.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\E\cdnprot.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\cdnprot.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\ciggafih.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\jbjaajhj.sys -> Downloader.Small.npa : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\J71J358W\pop[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\TCXLNTTF\index[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7901D59D-5608-43F7-A4F6-B9F487B70E23}\RP86\A0013588.exe -> Trojan.Agent.abf : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\EPV818NY\wl[1].exe -> Trojan.Agent.ix : Cleaned with backup (quarantined).
D:\WINDOWS\system32\wl.exe -> Trojan.Agent.ix : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\ck3.exe.exe -> Trojan.Delf.pj : Cleaned with backup (quarantined).
D:\Program Files\Internet Explorer\IEXPLORE.jmp -> Trojan.Delf.pj : Cleaned with backup (quarantined).
D:\Program Files\Internet Explorer\IEXPLORE.Sys -> Trojan.Delf.xu : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{7901D59D-5608-43F7-A4F6-B9F487B70E23}\RP86\A0014543.Sys -> Trojan.Delf.xu : Cleaned with backup (quarantined).
[732] D:\Program Files\Internet Explorer\IEXPLORE.Sys -> Trojan.Delf.xu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7901D59D-5608-43F7-A4F6-B9F487B70E23}\RP86\A0013585.exe -> Trojan.Lmir.bfv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7901D59D-5608-43F7-A4F6-B9F487B70E23}\RP86\A0013589.exe -> Trojan.Lmir.bfv : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\WRZZYKP5\bb[1].exe -> Trojan.Lmir.bfv : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\KHI3O56Z\68097[1].exe -> Trojan.Lmir.bgj : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temporary Internet Files\Content.IE5\WRZZYKP5\3[1].exe -> Trojan.Lmir.bgj : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{7901D59D-5608-43F7-A4F6-B9F487B70E23}\RP86\A0014553.DLL -> Trojan.Lmir.bgk : Cleaned with backup (quarantined).
D:\WINDOWS\533931.DLL -> Trojan.Lmir.bgk : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\0yz8us0.sys -> Trojan.Nilage.avi : Cleaned with backup (quarantined).
D:\Documents and Settings\leobb\Local Settings\Temp\rxzs.dll -> Trojan.OnLineGames.do : Cleaned with backup (quarantined).
D:\WINDOWS\~tmp1313.exe -> Worm.Viking.dm : Cleaned with backup (quarantined).


::Report end









Logfile of HijackThis v1.99.1
Scan saved at 0:52:41, on 19/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe
D:\Program Files\CNNIC\Cdn\cdnup.exe
D:\WINDOWS\System32\IMSCMIG.exe
D:\WINDOWS\System32\heysgj.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\tpxhst32.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\winrar.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\east\SVCH0ST.EXE
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\leobb\Desktop\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - D:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\Program Files\real\atloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E42222A2-B6E6-4242-A943-CDC0415AD763} - D:\WINDOWS\system32\3721.8.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: 毞狟刲坰 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - D:\WINDOWS\Downloaded Program Files\iebar23.0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adx.exe] D:\Program Files\real\adx.exe
O4 - HKLM\..\Run: [mhs2] D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe
O4 - HKLM\..\Run: [rxzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe
O4 - HKLM\..\Run: [zts2] D:\DOCUME~1\leobb\LOCALS~1\Temp\zts2.exe
O4 - HKLM\..\Run: [wlzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\wlzs.exe
O4 - HKLM\..\Run: [WindowsXP] D:\DOCUME~1\leobb\LOCALS~1\Temp\ms.exe
O4 - HKLM\..\Run: [CdnCtr] D:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [IMSCMIG.exe] D:\WINDOWS\System32\IMSCMIG.exe
O4 - HKLM\..\Run: [tpxhst32.exe] D:\WINDOWS\System32\tpxhst32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ybgxir] D:\WINDOWS\System32\heysgj.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [myZt] D:\WINDOWS\east\SVCH0ST.EXE
O4 - Startup: Hyalo-ToDo by adni18.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: 使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 訪問通用網址 - D:\Program Files\CNNIC\Cdn\cnnic.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 建立行動最愛 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - D:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: 中文上網 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - D:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [CDNCLIENT] 中文上網
O12 - Plugin for .TIF: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...RdxIE601_tw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159436673217
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA6F7AC-FF1D-4F8C-8F66-BB6CADE8F4AD}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 533931M.BMP
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GrayPigeonServer - Unknown owner - D:\WINDOWS\G_Server2006.exe (file missing)
O23 - Service: Gray_Pigeon_Server1.23 (GrayPigeonServer1.23) - Unknown owner - D:\WINDOWS\G_Server1.23.exe (file missing)
O23 - Service: GrayPigeon_Hacker.com.cn - Unknown owner - D:\WINDOWS\Hacker.com.cn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Provisioning Transaction Service (ttt_13) - Unknown owner - D:\WINDOWS\System32\winrar.exe

[MFDnSC]

1 Download this file :

http://download.blee...aB/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
============

Post a new hijack log

[leobb]

ComboFix 06.12.01W - Running from: "D:\Documents and Settings\leobb\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Program Files\Internet Explorer\PLUGINS\System8.sys
D:\Program Files\INSTALL.LOG
D:\Program Files\Internet Explorer\PLUGINS\system.jmp
D:\autorun.inf
D:\WINDOWS\system32\downdll.dll
D:\WINDOWS\system32\mywl.dll
D:\WINDOWS\system32\SVKP.sys
D:\WINDOWS\system32\QQhx.dat
D:\Program Files\Internet Explorer\plugins\System8.sys
D:\Program Files\DeskAdTop
D:\WINDOWS\system32\3721.8.dll
D:\WINDOWS\system32\3721.8.dll


((((((((((((((((((((((((((((((( Files Created from 2006-11-19 to 2006-12-19 ))))))))))))))))))))))))))))))))))


2006-12-19 21:38 2,368 --a------ D:\WINDOWS\system32\SVKP.sys
2006-12-19 21:37 <DIR> d-------- D:\WINDOWS\erdnt
2006-12-19 01:36 <DIR> d-------- D:\Documents and Settings\leobb\Application Data\CyberLink
2006-12-19 01:35 <DIR> d-------- D:\Program Files\powerdvd
2006-12-19 01:35 <DIR> d-------- D:\download
2006-12-19 01:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\CyberLink
2006-12-19 01:15 <DIR> d-------- D:\Documents and Settings\leobb\Application Data\Apple Computer
2006-12-19 01:01 5,672 --a------ D:\WINDOWS\system32\IMSCMIG.exe
2006-12-19 00:55 61,440 --a------ D:\WINDOWS\system32\SysShellKernel.dll
2006-12-19 00:17 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-19 00:17 <DIR> d-------- D:\Program Files\Grisoft
2006-12-18 23:47 41,984 --a------ D:\WINDOWS\system32\windhcp.dll
2006-12-18 23:46 5,732 --a------ D:\WINDOWS\system32\tpxhst32.exe
2006-12-18 18:51 61,952 -r-hs---- D:\WINDOWS\G_SERVER2006KEY.DLL
2006-12-18 18:51 54,392 ---hs---- D:\sxs.exe
2006-12-18 18:28 54,392 ---hs---- D:\WINDOWS\system32\heysgj.exe
2006-12-18 18:28 40,448 ---hs---- D:\WINDOWS\system32\heysgj.dll
2006-12-18 18:28 132,608 --a------ D:\WINDOWS\system32\winrar.exe
2006-12-18 16:44 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2006-12-18 16:44 <DIR> d-------- D:\Program Files\Lavasoft
2006-12-18 16:44 <DIR> d-------- D:\Documents and Settings\leobb\Application Data\Lavasoft
2006-12-18 16:44 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-18 16:08 <DIR> d-------- D:\WINDOWS\east
2006-12-18 16:06 <DIR> d-------- D:\Program Files\Eset
2006-12-16 18:53 <DIR> d-------- D:\Program Files\Warcraft III
2006-12-16 17:17 2,829 --a------ D:\WINDOWS\War3Unin.pif
2006-12-16 17:17 126,976 --a------ D:\WINDOWS\War3Unin.exe
2006-12-16 17:13 <DIR> d-------- D:\Program Files\Warcraft3
2006-12-11 20:37 854,016 --a------ D:\Program Files\Hyalo-ToDo gadget by adni18.exe
2006-12-06 17:06 <DIR> d-------- D:\Program Files\EA GAMES
2006-12-06 02:44 442,368 -ra------ D:\WINDOWS\system32\vp6vfw.dll
2006-12-04 23:12 681,836 --a------ D:\PDK.exe
2006-12-04 21:55 8,941,964 --a------ D:\PDS.exe
2006-12-03 13:22 <DIR> d-------- D:\WINDOWS\MyTvPlayer
2006-11-27 19:23 <DIR> d-------- D:\Documents and Settings\leobb\Application Data\vlc
2006-11-27 19:18 <DIR> d-------- D:\Program Files\VideoLAN
2006-11-26 03:19 <DIR> d-------- D:\Program Files\FlashGet
2006-11-24 02:45 <DIR> d-------- D:\Program Files\Common Files\xing shared
2006-11-23 02:47 <DIR> d-------- D:\WINDOWS\system32\appmgmt
2006-11-22 18:26 774,760 --------- D:\WINDOWS\Hacker.com.cn.exe
2006-11-19 13:24 <DIR> d-------- D:\Program Files\ICQToolbar
2006-11-19 13:24 <DIR> d-------- D:\Program Files\ICQLite
2006-11-19 13:24 <DIR> d-------- D:\Documents and Settings\leobb\Application Data\ICQLite
2006-11-19 00:36 <DIR> d-------- D:\Program Files\MAME32k


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-19 01:35 -------- d--h----- D:\Program Files\InstallShield Installation Information
2006-12-19 00:48 -------- d-------- D:\Program Files\Internet Explorer
2006-12-18 23:46 -------- d-------- D:\Program Files\Ventrilo
2006-12-18 15:46 32512 --a------ D:\WINDOWS\system32\drivers\npf.sys
2006-12-18 14:22 -------- d-------- D:\Program Files\Real
2006-12-16 21:23 -------- d-------- D:\Program Files\WC3Banlist
2006-12-15 23:10 -------- d-------- D:\Documents and Settings\leobb\Application Data\AdobeUM
2006-12-11 20:31 -------- d-------- D:\Program Files\Pimero
2006-12-02 23:33 -------- d-------- D:\Documents and Settings\leobb\Application Data\Hamachi
2006-11-24 02:46 -------- d-------- D:\Documents and Settings\leobb\Application Data\Real
2006-11-24 02:45 -------- d-------- D:\Program Files\Common Files\Real
2006-11-24 02:45 -------- d-------- D:\Program Files\Common Files
2006-11-18 12:50 -------- d-------- D:\Program Files\SC
2006-11-18 02:57 -------- d-------- D:\Program Files\CyberLink
2006-11-17 01:03 -------- d-------- D:\Program Files\eMule
2006-11-10 17:39 98304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
2006-11-10 17:18 -------- d-------- D:\Program Files\KONAMI
2006-10-30 15:52 -------- d---s---- D:\Documents and Settings\leobb\Application Data\Microsoft
2006-10-26 21:26 -------- d-------- D:\Program Files\WinPcap
2006-10-22 02:18 -------- d-------- D:\Program Files\Windows Media Player
2006-10-21 20:48 163644 --a------ D:\WINDOWS\system32\drivers\secdrv.sys
2006-10-21 19:31 -------- d-------- D:\Documents and Settings\leobb\Application Data\DivX
2006-10-19 20:12 -------- d-------- D:\Program Files\DivX
2006-10-03 03:04 806912 --a------ D:\WINDOWS\system32\divx_xx0c.dll
2006-10-03 03:04 806912 --a------ D:\WINDOWS\system32\divx_xx07.dll
2006-10-03 03:04 790528 --a------ D:\WINDOWS\system32\divx_xx11.dll
2006-10-03 03:04 635486 --a------ D:\WINDOWS\system32\DivX.dll
2006-09-16 01:53 863 --a------ D:\Documents and Settings\leobb\Application Data\AdobeDLM.log
2006-09-16 01:53 0 --a------ D:\Documents and Settings\leobb\Application Data\dm.ini
2006-09-12 12:42 62 --ahs---- D:\Documents and Settings\leobb\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\System32\\ctfmon.exe"
"swg"="D:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"myZt"="D:\\WINDOWS\\east\\SVCH0ST.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CJIMETIPSYNC"="D:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMTC65\\CHANGJIE\\CINTLCFG.EXE /CJIMETIPSync"
"PHIMETIPSYNC"="D:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMTC65\\PHONETIC\\TINTLCFG.EXE /PHIMETIPSync"
"NvMediaCenter"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"adx.exe"="D:\\Program Files\\real\\adx.exe"
"mhs2"="D:\\DOCUME~1\\leobb\\LOCALS~1\\Temp\\mhs2.exe"
"rxzs"="D:\\DOCUME~1\\leobb\\LOCALS~1\\Temp\\rxzs.exe"
"zts2"="D:\\DOCUME~1\\leobb\\LOCALS~1\\Temp\\zts2.exe"
"wlzs"="D:\\DOCUME~1\\leobb\\LOCALS~1\\Temp\\wlzs.exe"
"WindowsXP"="D:\\DOCUME~1\\leobb\\LOCALS~1\\Temp\\ms.exe"
"IMSCMIG.exe"="D:\\WINDOWS\\System32\\IMSCMIG.exe"
"tpxhst32.exe"="D:\\WINDOWS\\System32\\tpxhst32.exe"
"RemoteControl"="\"D:\\Program Files\\powerdvd\\PDVDServ.exe\""
"LanguageShortcut"="\"D:\\Program Files\\powerdvd\\Language\\Language.exe\""
"ybgxir"="D:\\WINDOWS\\System32\\heysgj.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\System32\\ctfmon.exe"
"swg"="D:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="D:\\WINDOWS\\System32\\ctfmon.exe"
"swg"="D:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}"=""
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000bd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"hx-2"="2"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

Completion time: 06-12-19 21:38:35.98
D:\ComboFix.txt ... 06-12-19 21:38










Logfile of HijackThis v1.99.1
Scan saved at 21:54:52, on 19/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe
D:\Program Files\powerdvd\PDVDServ.exe
D:\WINDOWS\System32\heysgj.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\east\SVCH0ST.EXE
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Documents and Settings\leobb\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\Program Files\real\atloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: SysShellKernel - {E04B27AA-3973-4D68-8F42-B7C2FC8C6CF7} - D:\WINDOWS\System32\SysShellKernel.dll
O2 - BHO: (no name) - {E42222A2-B6E6-4242-A943-CDC0415AD763} - D:\WINDOWS\system32\3721.8.dll (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: 毞狟刲坰 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - D:\WINDOWS\Downloaded Program Files\iebar23.0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adx.exe] D:\Program Files\real\adx.exe
O4 - HKLM\..\Run: [mhs2] D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe
O4 - HKLM\..\Run: [rxzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe
O4 - HKLM\..\Run: [zts2] D:\DOCUME~1\leobb\LOCALS~1\Temp\zts2.exe
O4 - HKLM\..\Run: [wlzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\wlzs.exe
O4 - HKLM\..\Run: [WindowsXP] D:\DOCUME~1\leobb\LOCALS~1\Temp\ms.exe
O4 - HKLM\..\Run: [IMSCMIG.exe] D:\WINDOWS\System32\IMSCMIG.exe
O4 - HKLM\..\Run: [tpxhst32.exe] D:\WINDOWS\System32\tpxhst32.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\powerdvd\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\powerdvd\Language\Language.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ybgxir] D:\WINDOWS\System32\heysgj.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [myZt] D:\WINDOWS\east\SVCH0ST.EXE
O4 - Startup: Hyalo-ToDo by adni18.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: 使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 建立行動最愛 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .TIF: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...RdxIE601_tw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159436673217
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA6F7AC-FF1D-4F8C-8F66-BB6CADE8F4AD}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Provisioning Transaction Service (ttt_13) - Unknown owner - D:\WINDOWS\System32\winrar.exe (file missing)

[MFDnSC]

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\Program Files\real\atloader.dll

O2 - BHO: SysShellKernel - {E04B27AA-3973-4D68-8F42-B7C2FC8C6CF7} - D:\WINDOWS\System32\SysShellKernel.dll

O2 - BHO: (no name) - {E42222A2-B6E6-4242-A943-CDC0415AD763} - D:\WINDOWS\system32\3721.8.dll (file missing)

O3 - Toolbar: 毞狟刲坰 - {56A7DC70-E102-4408-A34A-AE06FEF01586} - D:\WINDOWS\Downloaded Program Files\iebar23.0.dll (file missing)

O4 - HKLM\..\Run: [adx.exe] D:\Program Files\real\adx.exe

O4 - HKLM\..\Run: [mhs2] D:\DOCUME~1\leobb\LOCALS~1\Temp\mhs2.exe

O4 - HKLM\..\Run: [rxzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\rxzs.exe

O4 - HKLM\..\Run: [zts2] D:\DOCUME~1\leobb\LOCALS~1\Temp\zts2.exe

O4 - HKLM\..\Run: [wlzs] D:\DOCUME~1\leobb\LOCALS~1\Temp\wlzs.exe

O4 - HKLM\..\Run: [WindowsXP] D:\DOCUME~1\leobb\LOCALS~1\Temp\ms.exe

O4 - HKLM\..\Run: [IMSCMIG.exe] D:\WINDOWS\System32\IMSCMIG.exe

O4 - HKLM\..\Run: [tpxhst32.exe] D:\WINDOWS\System32\tpxhst32.exe

O4 - HKLM\..\Run: [ybgxir] D:\WINDOWS\System32\heysgj.exe

O4 - HKCU\..\Run: [myZt] D:\WINDOWS\east\SVCH0ST.EXE

O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe (file missing)

O23 - Service: Provisioning Transaction Service (ttt_13) - Unknown owner - D:\WINDOWS\System32\winrar.exe (file missing)
===========================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Provisioning Transaction Service

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

Repeat for - host Service For Windows
==========================
DownLoad http://www.downloads...org/KillBox.zip or
http://www.thespykil...les/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

D:\WINDOWS\G_SERVER2006KEY.DLL
D:\sxs.exe
D:\WINDOWS\system32\heysgj.exe
D:\WINDOWS\system32\heysgj.dll
D:\WINDOWS\system32\windhcp.dll
D:\WINDOWS\system32\tpxhst32.exe
D:\WINDOWS\System32\SysShellKernel.dll
D:\Program Files\real\adx.exe
D:\WINDOWS\System32\tpxhst32.exe
D:\WINDOWS\System32\heysgj.exe
D:\WINDOWS\east



Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system

[leobb]

sorry for my late reply

Logfile of HijackThis v1.99.1
Scan saved at 21:08:43, on 22/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\devgt.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\powerdvd\PDVDServ.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
D:\Program Files\Messenger\msmsgs.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\Zt2\SVCH0ST.EXE
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Documents and Settings\leobb\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\userinit.exe,devgt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\Program Files\real\atloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\powerdvd\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\powerdvd\Language\Language.exe"
O4 - HKLM\..\Run: [adx.exe] D:\WINDOWS\System32\rundll32.exe D:\PROGRA~1\real\adx.dll,Rundll32
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [myZt2] D:\DOCUME~1\leobb\LOCALS~1\Temp\Zt2\SVCH0ST.EXE
O4 - Startup: Hyalo-ToDo by adni18.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: 使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 建立行動最愛 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .TIF: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...RdxIE601_tw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159436673217
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA6F7AC-FF1D-4F8C-8F66-BB6CADE8F4AD}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[MFDnSC]

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\userinit.exe,devgt.exe

O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\Program Files\real\atloader.dll

O4 - HKLM\..\Run: [adx.exe] D:\WINDOWS\System32\rundll32.exe D:\PROGRA~1\real\adx.dll,Rundll32

O4 - HKCU\..\Run: [myZt2] D:\DOCUME~1\leobb\LOCALS~1\Temp\Zt2\SVCH0ST.EXE

O4 - Startup: Hyalo-ToDo by adni18.lnk = ?

O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe (file missing)
=====================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

host Service For Windows

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

=====================
DownLoad http://www.downloads...org/KillBox.zip or
http://www.thespykil...les/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

D:\DOCUME~1\leobb\LOCALS~1\Temp\Zt2
D:\Program Files\real\atloader.dll
D:\PROGRA~1\real\adx.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system

[leobb]

Logfile of HijackThis v1.99.1
Scan saved at 8:44:06, on 24/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\devgt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\alg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\powerdvd\PDVDServ.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
D:\Program Files\Messenger\msmsgs.exe
D:\DOCUME~1\leobb\LOCALS~1\Temp\Zt2\SVCH0ST.EXE
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\leobb\Desktop\HijackThis.exe
D:\WINDOWS\system32\rundll32.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\userinit.exe,devgt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOHelper Class - {67A90DD5-128D-43AB-B97C-565D2DD42A28} - D:\PROGRA~1\real\atloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\powerdvd\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\powerdvd\Language\Language.exe"
O4 - HKLM\..\Run: [adx.exe] D:\PROGRA~1\real\adx.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [myZt2] D:\DOCUME~1\leobb\LOCALS~1\Temp\Zt2\SVCH0ST.EXE
O4 - Startup: Hyalo-ToDo by adni18.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: 使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 建立行動最愛 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: 建立行動最愛... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .TIF: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} (TRLuncherROC Control) - http://weblogin.tale...RLuncherROC.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...RdxIE601_tw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159436673217
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA6F7AC-FF1D-4F8C-8F66-BB6CADE8F4AD}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: host Service For Windows (mshostsr) - Unknown owner - D:\WINDOWS\mshostsr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

This my updated hjt log

[MFDnSC]

It does not appear you did any of post #8