Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[bleep], again.

Started by yafim , Dec 12 2005 11:03 PM

  • Please log in to reply

#1
yafim
Posted 12 December 2005 - 11:03 PM

yafim

    Member

  • Member
  • PipPipPip
  • 116 posts
I had some trouble with spyware a few weeks ago and now i got some more from a bad link i thought was good. Last time i reformatted my comp, but this time i had antivirus on and i think i can remove all of it with your help, w/o needing reformat.

This is a hijack log so you'll see what's going on now in my comp, advice will be greatly appriciated.

--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 7:02:20 AM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINXP\system32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINXP\system32\paytime.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINXP\system32\paytime.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINXP\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fima\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKLM\..\Run: [winsync] C:\WINXP\system32\waqkyr.exe reg_run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133033415875
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINXP\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--------------------------------------------------
  • 0

Advertisements

#2
yafim
Posted 17 December 2005 - 10:27 AM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
Can you help me plz? i'v posted this a while back, i need to clean my comp fast before something else might happen.

tnx
  • 0

#3
FZWG
Posted 21 December 2005 - 12:12 PM

FZWG

    Visiting Staff

  • Member
  • PipPipPip
  • 145 posts
Apologies for the delay in responding.

The workload at this forum is intense, and sometimes it is not possible to respond to every inquiry.

If you still suspect having malware related problems, it is best to have the latest 'picture' of your PC.

Please run HijackThis again, and, making sure all windows and browsers are closed, Scan.
Do not fix any of the entries reported. Just post the new log to this thread by using the Add Reply button.

I will be notified of your reply, and will be glad to assist you.

Thank you.
  • 0

#4
yafim
Posted 21 December 2005 - 12:34 PM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:33:55 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINXP\System32\igfxtray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Fima\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKLM\..\Run: [winsync] C:\WINXP\system32\waqkyr.exe reg_run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133033415875
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINXP\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#5
FZWG
Posted 21 December 2005 - 07:05 PM

FZWG

    Visiting Staff

  • Member
  • PipPipPip
  • 145 posts
Some nasties on the log…

Please create a folder on the Desktop (Right click, select New>Folder)
Name it: EWIDO
Download Ewido Security Suite:
http://www.ewido.net/en/download/
Press: Download Now
In the folder where EWIDO is located, double click the EWIDO Setup file
Follow the prompts and reboot when done.

Now, go to Start>All Programs>EWIDO
Select: Security Suite

When the program starts, do an online update for the latest signature files
An Update Successful prompt appears when done
Exit EWIDO

Now, reboot to Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

Run EWIDO.
Click on the Scanner button in the left menu
Next, click on: Complete System Scan

The scan may find malware entries and request action to clean up. Agree.
However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None as the action for the time being.

Once the scan has completed, click: Save Report
Save the report to the EWIDO folder

Next, run HijackThis, Scan
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

O4 - HKLM\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKLM\..\Run: [winsync] C:\WINXP\system32\waqkyr.exe reg_run
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
The program above, Spyware Cleaner, is of questionable value as anti-spyware protection. Removal is recommended. It is best to rely on programs with deserved reputations for quality performance. Will provide some suggestions when we wrap up.

Select: Fix Checked

Next, go to Start > Control Panel > Add/Remove Programs, select the following, and click Remove:
Spyware Cleaner
If not found in Add/Remove Programs, go to Start > All Programs > Spyware Cleaner, and select: Uninstall

Search for and delete the following folders (bold):
C:\Program Files\Common Files\VCClient
C:\Program Files\Spyware Cleaner

Search for and delete the following files (bold):
C:\WINXP\system32\paytime.exe
C:\WINXP\system32\waqkyr.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Reboot to normal Windows.

Run HijackThis, Scan, and post a new log along with the EWIDO report.
  • 0

#6
yafim
Posted 22 December 2005 - 10:04 AM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
ok, i dl'ed ewido, updated and all, and then i tried to restart. in the startup window i could choose from 3 safe modes:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

I naturally chose the first option but then instead of bringing me to my user in safe mode, it brought me to the Administrator only, meaning i couldn't enter my own user. so i entered the admin, ( screen was 640X840 i think, normal? ) and then in the admin i tried getting back on this page to see what to do next, but the internet wasn't operational, i guess it's part of safe mode, so should i choose another safe mode option? print out the instructions? and why can't i log in safe mode into my own user?

tnx
  • 0

#7
FZWG
Posted 22 December 2005 - 08:28 PM

FZWG

    Visiting Staff

  • Member
  • PipPipPip
  • 145 posts
You need to select the option for just Safe Mode using the arrow keys, like you did.
Do print the instructions before continuing, since this link will not be available in Safe Mode.
Sorry, took that for granted.

To my understanding, the Administrator account, and all Administrator type accounts show up in Safe Mode.

Go to Start > Control Panel, and 2x click User Accounts
Select the account you normally use
Does it say: Whatever your account name is, and underneath it, Computer Administrator, or, does it say something else other than Computer Administrator?

Are you running Windows XP Home, or XP Pro?
  • 0

#8
yafim
Posted 23 December 2005 - 08:10 AM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
I'm running XpPro, and my user is a comp administrator, but the guy who installed the system made another admin user, that doesn't show up. but if the instructions work after i print them out, i don't think the user issue will be a problem.
i'll get back to you on how i did.
  • 0

#9
yafim
Posted 23 December 2005 - 08:53 AM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
EWIDO report from Safe Mode:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:36:43 PM, 12/23/2005
+ Report-Checksum: C34F558A

+ Scan result:

C:\WINXP\system32\epsaqpo.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\WINXP\system32\fmqlg.dll -> Downloader.Small : Cleaned with backup
C:\WINXP\country.exe -> Trojan.Small : Cleaned with backup
C:\WINXP\tool1.exe -> Trojan.Small : Cleaned with backup
C:\WINXP\tool4.exe -> Trojan.Small : Cleaned with backup
C:\WINXP\tool5.exe -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Fima\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Fima\Application Data\Mozilla\Firefox\Profiles\hmzt2nkq.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.a : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\System Volume Information\_restore{E0D3F467-57F5-43F3-956D-3D0027F0CEC7}\RP50\A0014896.exe -> Downloader.Qoologic.at : Cleaned with backup


::Report End



I tried deleting the entries you asked on hijackthis in safe mode, but in safe mode the window of the items only shows the list of items, but w/o any option buttons, meaning i can't click "fix checked" because it's not there...
Plus, i ran a search on all the files and folders you wanted me to delete, and besides "VCClient" folder, the search didn't find any of the others.

Here is a hijack this log from normal mode after i changed back to it:
Logfile of HijackThis v1.99.1
Scan saved at 4:51:46 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINXP\system32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\system32\wuauclt.exe
C:\Documents and Settings\Fima\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKLM\..\Run: [winsync] C:\WINXP\system32\waqkyr.exe reg_run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133033415875
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINXP\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Oh, btw, the hijack scan in safe mode showed a list of items, but every item that starts with "# - HKCU" and not "# - HKLM" didn't show up...
next steps?
  • 0

#10
FZWG
Posted 24 December 2005 - 09:29 PM

FZWG

    Visiting Staff

  • Member
  • PipPipPip
  • 145 posts
Let's go this route:

Run HijackThis, Scan
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

O4 - HKLM\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)

Select: Fix Checked

Next, enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

Go to Start > Control Panel > Add/Remove Programs, select the following, and click Remove:
Spyware Cleaner
If not found in Add/Remove Programs, go to Start > All Programs > Spyware Cleaner, and select: Uninstall

Search for and delete the following folders (bold):
C:\Program Files\Common Files\VCClient
C:\Program Files\Spyware Cleaner

Search for and delete the following files (bold):
C:\WINXP\system32\paytime.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Reboot.

Close Internet Explorer
Go to Start > Control Panel
Double-click: Internet Options
In the Internet Properties window, click the Programs tab
Click: Reset Web Settings
Select: Also reset my home page.
Click Yes.
Click OK.

Next, download TrackQoo
Save it to the Desktop
Double click on Track qoo.vbs

Allow the entire script to Run, it is harmless.

When done, Notepad shows up with the results.

Provide the TrackQoo results in your response along with a new HijackThis log.

Edited by FZWG, 24 December 2005 - 09:40 PM.

  • 0

#11
yafim
Posted 31 December 2005 - 12:43 PM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
TrackQoo results:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\\WINXP\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINXP\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINXP\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINXP\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINXP\\System32\\hkcmd.exe"
"SoundMan"="SOUNDMAN.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"ICQ Lite"="D:\\PROGRAMS\\ICQ\\ICQLite\\ICQLite.exe -minimize"
"StormCodec_Helper"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"winsync"="C:\\WINXP\\system32\\waqkyr.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\context.dll

Subkey --- fysqgtnn
{e2092b69-f9c1-4b9b-829d-99e26c8df56f}
C:\WINXP\system32\fmqlg.dll

Subkey --- ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654}
D:\PROGRAMS\ICQ\ICQLite\ICQLiteShell.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINXP\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINXP\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINXP\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
D:\Winamp etc\WinRar\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINXP\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINXP\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINXP\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINXP\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINXP\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Symantec Fax Starter Edition Port.lnk
==============================
C:\Documents and Settings\Fima\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Symantec Fax Starter Edition Port.lnk
desktop.ini
==============================
C:\WINXP\system32 cpl files


wuaucpl.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
appwiz.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
access.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
ALSNDMGR.CPL Avance Logic, Inc.
wscui.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation


----------------------
Hijack Log (new):
-----------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:41:51 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINXP\system32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fima\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINXP\system32\waqkyr.exe reg_run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133033415875
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINXP\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Fima\Desktop\New Folder\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


About the searches for the files and folders, i didn't find anything. Should I reset the folder viewing settings to the way they were before?

tnx
  • 0

#12
FZWG
Posted 31 December 2005 - 08:37 PM

FZWG

    Visiting Staff

  • Member
  • PipPipPip
  • 145 posts
We’ll restore the viewing of hidden files and folders when we are done.

Need to remove some entries…

Please download Killbox:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Double-click on the red circle with white X to run it.

At the main screen of KillBox, select the option: Delete on Reboot
Then, in the Full Path of File to Delete box copy/paste the following entry:

C:\WINXP\system32\waqkyr.exe

Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [winsync] C:\WINXP\system32\waqkyr.exe reg_run

O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)

Select: Fix Checked

Reboot once again.

Run HijackThis, Scan, and post a new log.
  • 0

#13
yafim
Posted 01 January 2006 - 01:33 AM

yafim

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 116 posts
HIJACK LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:38 AM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINXP\system32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINXP\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fima\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\PROGRAMS\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133033415875
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINXP\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINXP\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#14
FZWG
Posted 01 January 2006 - 05:49 PM

FZWG

    Visiting Staff

  • Member
  • PipPipPip
  • 145 posts
The following entries are pretty stubborn. They may have some Chinese in them, and therefore the odd characters. Not much info on them, however, what is found leads to malware, or to some type of shopping website? Could that be the case?

O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)

If you did not install these entries, please try the following to remove them:


Launch Notepad, (Start>Programs>Accessories>Notepad)
Copy/paste all the bold REGEDIT below to it

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}]

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: exten.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the exten.reg file just saved and click on Yes when asked to merge the information into the Registry.

Then, run HijackThis, Scan, and post a new log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP