[fahrenheit33]

hi could anyone help me remove these malwares please. What is the first step i should do? thanks

[Advertisements]

Hello fahrenheit33 and Welcome to Geeks To Go!

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[Kenny94]

Hello fahrenheit33 and Welcome to Geeks To Go!

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[fahrenheit33]

Logfile of HijackThis v1.99.1
Scan saved at 1:29:11 PM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ?D?????? - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\qingyi\LOCALS~1\Temp\{FF073124-8B8F-41D0-A024-2FC90674FF0A}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\vision\vision.dll/mms.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ????ì¨ - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra 'Tools' menuitem: 2êE??áééè?? - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: ò×è¤1o?? - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: ò×è¤1o?? - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQì?2ê1¤??ì?éè?? - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH] ?D??????
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2EF3C1-1805-4E92-9501-2518DFEB7BD8}: NameServer = 202.96.128.68,61.144.56.101
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O21 - SSODL: themeadp - {64274C93-3CE7-4663-9C8D-CD2DC8A3590B} - (no file)
O21 - SSODL: MediaCheck - {D1F73845-4BAB-4061-A46B-FCF7ECC19217} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[Kenny94]

Hello fahrenheit33

Yep, you have a chinese/Borlan infection and a few others infections as well. Before we move on.

I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:


* Open Hijackthis, In the lower right corner click the "Config..." (Configuration) button.
* Once in the "Configuration" panel, click "Misc Tools" button.
* Then click the "Open Uninstall Manager..." button.
* The "Add/Remove Programs Manager" panel should appear.
* In this panel click the "Save list" button.
* Save the "uninstall_list.txt" file to its default location.
* Then copy and paste the notepad text that appears in the generated "unistall_list.txt" file in a reply to this post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

[fahrenheit33]

hi kenny, thanks for helping me.well here is the HijackThis Uninstall List.

?áèèó°ò? 2.06.12.23
?D??????
±?·?ó°ò?
×?1a?′ò?ê?è?·¨3.0
ACDSee 6.0 PowerPack
Ad-Aware SE Personal
Adobe Reader 7.0.5 - Chinese Simplified
AVG Anti-Spyware 7.5
AVG Free Edition
Conexant AC-Link Audio
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Media Player Kuree
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.9)
Nero 6 Ultra Edition
QQ2006 Beta1
Quick Launch Buttons 5.10 B5
RealPlayer
Samsung MFP 560 Series
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Synaptics Pointing Device Driver
Tencent Media Player by Viewpoint
Texas Instruments PCIxx21/x515 drivers.
Vision Communicate
webwork
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Player (KB911564) °2è??üD?
Windows Media Player 6.4 (KB925398) °2è??üD?
Windows Media Player 9 (KB917734) °2è??üD?
Windows XP (KB923689) °2è??üD?
Windows XP ?üD? (KB894391)
Windows XP ?üD? (KB898461)
Windows XP ?üD? (KB900485)
Windows XP ?üD? (KB908531)
Windows XP ?üD? (KB910437)
Windows XP ?üD? (KB911280)
Windows XP ?üD? (KB916595)
Windows XP ?üD? (KB920872)
Windows XP ?üD? (KB922582)
Windows XP °2è??üD? (KB893756)
Windows XP °2è??üD? (KB896358)
Windows XP °2è??üD? (KB896423)
Windows XP °2è??üD? (KB896424)
Windows XP °2è??üD? (KB896428)
Windows XP °2è??üD? (KB899587)
Windows XP °2è??üD? (KB899591)
Windows XP °2è??üD? (KB900725)
Windows XP °2è??üD? (KB901017)
Windows XP °2è??üD? (KB901190)
Windows XP °2è??üD? (KB901214)
Windows XP °2è??üD? (KB902400)
Windows XP °2è??üD? (KB904706)
Windows XP °2è??üD? (KB905414)
Windows XP °2è??üD? (KB905749)
Windows XP °2è??üD? (KB908519)
Windows XP °2è??üD? (KB911562)
Windows XP °2è??üD? (KB911927)
Windows XP °2è??üD? (KB912919)
Windows XP °2è??üD? (KB913580)
Windows XP °2è??üD? (KB914388)
Windows XP °2è??üD? (KB914389)
Windows XP °2è??üD? (KB917344)
Windows XP °2è??üD? (KB917422)
Windows XP °2è??üD? (KB917953)
Windows XP °2è??üD? (KB918439)
Windows XP °2è??üD? (KB919007)
Windows XP °2è??üD? (KB920213)
Windows XP °2è??üD? (KB920670)
Windows XP °2è??üD? (KB920683)
Windows XP °2è??üD? (KB920685)
Windows XP °2è??üD? (KB921398)
Windows XP °2è??üD? (KB922616)
Windows XP °2è??üD? (KB922819)
Windows XP °2è??üD? (KB923191)
Windows XP °2è??üD? (KB923414)
Windows XP °2è??üD? (KB923694)
Windows XP °2è??üD? (KB923789)
Windows XP °2è??üD? (KB923980)
Windows XP °2è??üD? (KB924191)
Windows XP °2è??üD? (KB924270)
Windows XP °2è??üD? (KB924496)
Windows XP °2è??üD? (KB925454)
Windows XP °2è??üD? (KB925486)
Windows XP °2è??üD? (KB926255)
Windows XP DT213ìDò°ü - KB873339
Windows XP DT213ìDò°ü - KB885835
Windows XP DT213ìDò°ü - KB885836
Windows XP DT213ìDò°ü - KB886185
Windows XP DT213ìDò°ü - KB886677
Windows XP DT213ìDò°ü - KB887472
Windows XP DT213ìDò°ü - KB888302
Windows XP DT213ìDò°ü - KB890859
Windows XP DT213ìDò°ü - KB891781
WinRAR ?1?????t1üàí?÷
WinStdup
ZoneAlarm

[Kenny94]

Hello fahrenheit33

A lot of your entires are for translating Japanese/Chinese text in IE, Outlook and Word, do use this or someone else? Also do you recognizes these programs below:

?áèèó°ò? 2.06.12.23
?D??????
±?·?ó°ò?
×?1a?′ò?ê?è?·¨3.0
QQ2006 Beta1


For now let's do the following:

Please read "ALL" of the instructions before proceeding:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


Please download Boran Remover from one of the following places and save it to your Desktop:

• http://download.bleepingcomputer.com/sUBs/boran-remover.exe
• http://www.techsupportforum.com/sectools/boran-remover.exe

• Close all open windows.
• Double-click boran-remover.exe to start the tool.
• Your computer will reboot if an infection is found.
• If the tool is unable to neutralize the infection, it will reboot again for another attempt.
• When the tool is finished, it will save a log called boran.log in the boran-remover folder on your Desktop. Please include this log with your next post.

Update AVG AntiSpyware 7.5

• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG AntiSpyware, Do Not run a scan just yet

You will do that later in safe mode.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.(if present):

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: ?D?????? - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\vision\vision.dll/mms.htm
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra 'Tools' menuitem: 2êE??áééè?? - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra button: ò×è¤1o?? - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: ò×è¤1o?? - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQì?2ê1¤??ì?éè?? - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O21 - SSODL: themeadp - {64274C93-3CE7-4663-9C8D-CD2DC8A3590B} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

You will need to enable hidden files and folders by doing the following:
Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):

Vision Communicate
Tencent Media Player by Viewpoint
WinStdup

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\TENCENT
C:\Program\vision

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning proccess:

• Launch AVG AntiSpyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
• Close AVG AntiSpyware and reboot your system back into Normal Mode.

Reboot back to normal Windows.


In your next reply, please include these log(s):

* Boran.log
* AVG AntiSpyware contents
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

[fahrenheit33]

hi kenny, i cannot make out what the followings are either sorry.
?áèèó°ò? 2.06.12.23
?D??????
±?·?ó°ò?
×?1a?′ò?ê?è?·¨3.0
QQ2006 Beta1

I've done everything you've instructed me to do, however, i was unable to remove "Vision Communication" and "Winstdup" cause it required a confirmation code which i was not able to make out.

anyways, the malware "trojan.agent.abc" and "adware.boran" still pops out

the following are the boran.log, avg antispyware report and new hijackthis log.

Boran Remover by Deckard :: 2006-11-12 :: 27
----------------------------------------------------------------
Run by qingyi :: 03/01/2007 @ 19:19:01.39

Found C:\WINDOWS\system32\drivers\albus.sys
Found C:\WINDOWS\system32\stdupnet.dll

Rebooting...




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:46:25 PM 03/01/2007

+ Scan result:



C:\Program Files\Hijackthis\backups\backup-20070103-193444-538.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\vision\vision.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\vision\visver.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stdplay.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stdstub.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stdupnet.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stdvote.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cns.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cns.exe -> Adware.Cdn : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38928D50-8A48-44C2-945F-D2F23F771410} -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6671A431-5C3D-463D-A7CF-5587F9B7E191} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\themeadp.nls -> Adware.Themeadp : Cleaned with backup (quarantined).
:mozilla.116:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.160:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.151:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.152:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.88:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Adbrite : Cleaned.
:mozilla.89:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Adbrite : Cleaned.
:mozilla.120:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.171:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.104:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.83:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Hitbox : Cleaned.
:mozilla.84:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Hitbox : Cleaned.
:mozilla.10:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Overture : Cleaned.
:mozilla.185:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.186:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.187:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.188:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.189:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.94:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Starware : Cleaned.
:mozilla.95:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Starware : Cleaned.
:mozilla.96:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Starware : Cleaned.
:mozilla.97:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Starware : Cleaned.
:mozilla.132:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.133:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.101:C:\FOUND.001\FILE0009.CHK -> TrackingCookie.Targetnet : Cleaned.
:mozilla.28:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.29:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.34:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.36:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.37:C:\Documents and Settings\qingyi\Application Data\Mozilla\Firefox\Profiles\wy203uti.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\vision\alvsn.dll -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\000008c1.SYS -> Trojan.Agent.abc : Cleaned with backup (quarantined).
C:\WINDOWS\webwork\albus.dll -> Trojan.Agent.abc : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 9:08:22 PM, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ?D?????? - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\qingyi\LOCALS~1\Temp\{FF073124-8B8F-41D0-A024-2FC90674FF0A}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: >>彩信发送<< - res://C:\PROGRA~1\vision\vision.dll/mms.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ????ì¨ - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra 'Tools' menuitem: 2êE??áééè?? - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\vision\vision.dll
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH] ?D??????
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2EF3C1-1805-4E92-9501-2518DFEB7BD8}: NameServer = 202.96.128.68,61.144.56.101
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O21 - SSODL: themeadp - {64274C93-3CE7-4663-9C8D-CD2DC8A3590B} - (no file)
O21 - SSODL: MediaCheck - {D1F73845-4BAB-4061-A46B-FCF7ECC19217} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe






I continued ur steps eventhough i cannot remove "vision communicate" and "winstdup", are the steps after those steps useless?

Edited by fahrenheit33, 03 January 2007 - 11:09 PM.

[Kenny94]

Hello fahrenheit33

I've done everything you've instructed me to do, however, i was unable to remove "Vision Communication" and "Winstdup" cause it required a confirmation code which i was not able to make out.

Let's remove these in normal mode to get their confirmation code.

Please read "ALL" of the instructions before proceeding:

Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

Save it to the Desktop we'll use it in safe mode.

Open Notepad (Start > Run, type in: notepad)
Copy these instructions to Notepad, and save them to the Desktop for use in Safe Mode.


Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):
Vision Communicate
Tencent Media Player by Viewpoint
WinStdup
?áèèó°ò? 2.06.12.23
?D??????
±?·?ó°ò?
×?1a?′ò?ê?è?·¨3.0
QQ2006 Beta1

Note: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Then, reboot to Safe Mode as follows:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Now open Notepad that was saved.

Go to Start > Run and paste in the following:

"%userprofile%\desktop\combofix.exe" /wow

Note:
Do not mouse-click the CombofFix window while it is running. That may cause the program to stall.

When finished, ComboFix produces a log.

In your next reply, please include these log(s):


* ComboFix log
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

[fahrenheit33]

hey kenny, im at the step of removing programs from control panel. I uninstalled all the weird looking stuff, i think. There was no "tencent media player by viewpoint" and "winstdup." I got stuck on the confirmation code for "Vision communicate" again. the attachment is a pic of how the confirmation code looks like.

edit: ok somehow i can see the code now and i removed it.


ps: i see webwork in control panel add/remove, should i uninstall that too?

Edited by fahrenheit33, 04 January 2007 - 12:17 PM.

[Kenny94]

The attachment is not showing? Leave webwork there fahrenheit33. Try removing Vision communicate again if you can. And run ComboFix as in my previous post. Then post these logs:

* ComboFix
* HijackThis log (new)

[fahrenheit33]

hi kenny, i can open combofix at run, so i used brose that's ok right?
ok the following are the combofix log and new hijackthis log.

qingyi - 07-01-04 10:35:29.37 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\qingyi\桌面"

((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


2007-01-03 13:28 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-02 09:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-01 21:43 <DIR> d---s---- C:\Documents and Settings\qingyi\UserData
2006-12-31 10:07 <DIR> d-------- C:\Documents and Settings\qingyi\Application Data\Help
2006-12-26 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Player
2006-12-24 23:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-12-23 23:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-23 23:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-23 23:54 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-23 22:38 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-13 19:17 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-13 19:17 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-13 19:17 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-13 19:17 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-13 19:17 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-13 19:17 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-13 19:17 <DIR> d-------- C:\Documents and Settings\qingyi\Application Data\AVG7
2006-12-13 19:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-13 08:57 <DIR> d-------- C:\Program Files\Panda Software
2006-12-12 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-12-06 15:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-06 15:47 <DIR> dr-h----- C:\Documents and Settings\qingyi\Recent
2006-12-04 10:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-16 18:05 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-13 20:14 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-08 20:04 28672 --------- C:\WINDOWS\system32\drivers\000008c1.SYS
2006-11-07 21:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-19 17:37 705024 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 04:36 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:36 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:36 134144 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IMSCMig"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\IME\\IMSC40A\\IMSCMIG.EXE /Preload"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"stup.exe"="C:\\PROGRA~1\\TENCENT\\Adplus\\stup.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LanzarL2007"="\"C:\\DOCUME~1\\qingyi\\LOCALS~1\\Temp\\{FF073124-8B8F-41D0-A024-2FC90674FF0A}\\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\\..\\..\\L2007tmp\\Setup.exe\" /SETUP:\"/l0x0009\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="当前主页"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui 预加载程序"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="组件类别缓存程序"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"webwork"="{4C611512-2C1D-44b2-A044-872AD2AD5A61}"
"themeadp"="{64274C93-3CE7-4663-9C8D-CD2DC8A3590B}"
"MediaCheck"="{D1F73845-4BAB-4061-A46B-FCF7ECC19217}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qingyi^「开始」菜单^程序^启动^腾讯QQ.lnk]
"path"="C:\\Documents and Settings\\qingyi\\「开始」菜单\\程序\\启动\\腾讯QQ.lnk"
"backup"="C:\\WINDOWS\\pss\\腾讯QQ.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Tencent\\QQ\\QQ.exe "
"item"="腾讯QQ"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-04 10:35:57.06
C:\ComboFix.txt ... 07-01-04 10:35






Logfile of HijackThis v1.99.1
Scan saved at 10:37:04 AM, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ?D?????? - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\qingyi\LOCALS~1\Temp\{FF073124-8B8F-41D0-A024-2FC90674FF0A}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ????ì¨ - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH] ?D??????
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2EF3C1-1805-4E92-9501-2518DFEB7BD8}: NameServer = 202.96.128.68,61.144.56.101
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O21 - SSODL: themeadp - {64274C93-3CE7-4663-9C8D-CD2DC8A3590B} - (no file)
O21 - SSODL: MediaCheck - {D1F73845-4BAB-4061-A46B-FCF7ECC19217} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[Kenny94]

Hello fahrenheit33

i can open combofix at run, so i used brose that's ok right?

I do not see the Command switches used :: /wow in the combofix.

Try combofix again this way. Let it replace the other one if asked.

Please download ComboFix and save it to your desktop.

IMPORTANT - Make sure the Combofix is saved to your desktop.

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /wow

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[fahrenheit33]

hi kenny,"%userprofile%\desktop\combofix.exe" /wow doesn't work for me so i replace desktop with a chinese version of it and it ran, hope it will help u. anyways ill put up combofix and hijackthis again.

qingyi - 07-01-04 11:33:59.23 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\qingyi\桌面"
Command switches used :: /wow

((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


2007-01-03 13:28 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-02 09:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-01 21:43 <DIR> d---s---- C:\Documents and Settings\qingyi\UserData
2006-12-31 10:07 <DIR> d-------- C:\Documents and Settings\qingyi\Application Data\Help
2006-12-26 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Player
2006-12-24 23:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-12-23 23:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-23 23:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-23 23:54 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-23 22:38 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-13 19:17 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-13 19:17 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-13 19:17 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-13 19:17 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-13 19:17 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-13 19:17 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-13 19:17 <DIR> d-------- C:\Documents and Settings\qingyi\Application Data\AVG7
2006-12-13 19:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-13 08:57 <DIR> d-------- C:\Program Files\Panda Software
2006-12-12 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-12-06 15:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-06 15:47 <DIR> dr-h----- C:\Documents and Settings\qingyi\Recent
2006-12-04 10:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-16 18:05 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-13 20:14 -------- d-------- C:\Program Files\Hewlett-Packard
2006-11-08 20:04 28672 --------- C:\WINDOWS\system32\drivers\000008c1.SYS
2006-11-07 21:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-19 17:37 705024 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 04:36 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:36 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:36 134144 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IMSCMig"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\IME\\IMSC40A\\IMSCMIG.EXE /Preload"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"stup.exe"="C:\\PROGRA~1\\TENCENT\\Adplus\\stup.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LanzarL2007"="\"C:\\DOCUME~1\\qingyi\\LOCALS~1\\Temp\\{FF073124-8B8F-41D0-A024-2FC90674FF0A}\\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\\..\\..\\L2007tmp\\Setup.exe\" /SETUP:\"/l0x0009\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="当前主页"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui 预加载程序"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="组件类别缓存程序"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"webwork"="{4C611512-2C1D-44b2-A044-872AD2AD5A61}"
"themeadp"="{64274C93-3CE7-4663-9C8D-CD2DC8A3590B}"
"MediaCheck"="{D1F73845-4BAB-4061-A46B-FCF7ECC19217}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^qingyi^「开始」菜单^程序^启动^腾讯QQ.lnk]
"path"="C:\\Documents and Settings\\qingyi\\「开始」菜单\\程序\\启动\\腾讯QQ.lnk"
"backup"="C:\\WINDOWS\\pss\\腾讯QQ.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Tencent\\QQ\\QQ.exe "
"item"="腾讯QQ"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-04 11:34:26.64
C:\ComboFix2.txt ... 07-01-04 10:35
C:\ComboFix.txt ... 07-01-04 11:34





Logfile of HijackThis v1.99.1
Scan saved at 11:35:16 AM, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ?D?????? - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\qingyi\LOCALS~1\Temp\{FF073124-8B8F-41D0-A024-2FC90674FF0A}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ????ì¨ - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH] ?D??????
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2EF3C1-1805-4E92-9501-2518DFEB7BD8}: NameServer = 202.96.128.68,61.144.56.101
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O21 - SSODL: themeadp - {64274C93-3CE7-4663-9C8D-CD2DC8A3590B} - (no file)
O21 - SSODL: MediaCheck - {D1F73845-4BAB-4061-A46B-FCF7ECC19217} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[Kenny94]

Hello fahrenheit33

We were wonder if your computer/Windows is in full english version? Most of the infections are gone, but we still have a few left. We can remove webwork now, and we still have TENCENT to deal with. I know you mention that you could not find it.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.(if present):

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O2 - BHO: ?D?????? - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll (file missing)
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2EF3C1-1805-4E92-9501-2518DFEB7BD8}: NameServer = 202.96.128.68,61.144.56.101
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):
TENCENT
webwork

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\TENCENT <----folder
C:\WINDOWS\webwork <----- folder

If need to. Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" to help find the file path of these folders location.

Reboot back to normal Windows.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next reply, please include these log(s):

*ActiveScan report
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

[fahrenheit33]

hey kenny, i got stuck on removing webwork in safe mode and i can't find tencent at add/remove. Here is the picture that i got stuck on.
http://i32.photobuck...ogy/webwork.jpg

should i skip those steps and continue?