• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
asee82

Search-Daily.com Remove

29 posts in this topic

Hi, my browser keeps getting hijacked by this website Search-Daily.com whenever i click on a webpage after searching on Google. I have tried removing it with Adware and SpybotS&D but to no avail. Can you please help. Below is my hijackthis log. Thanks!

 

Logfile of HijackThis v1.99.1

Scan saved at 1:39:12 AM, on 11/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Fujitsu\updnavi\updnavi.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\igfxext.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSNotes2\Psn2.exe

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\PROGRA~1\3M\PSNotes2\PSNGive.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\PROGRA~1\3M\PSNotes2\PsnMSIME.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Trend Micro\OfficeScan Client\temp\xpupg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Adrian See\Desktop\Downloads\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {44ACCF91-3A86-49AE-9C63-A80AD3CF09E4} - C:\WINDOWS\system32\hhsetu.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe

O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.118.43.106/activex/AxisCamControl.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Share this post


Link to post
Share on other sites

Hello.VagaBond_82 & Welcome

 

First it seems like your running three Anti-Virus scanners, If this is so why doing so will in no way make it any safer for the PC what it will do is slow down the PC and just start all types of problems. So please Uninstall all but the one that you feel works best for you and just make sure to keep it updated.

 

Also your running an outdated HijackThis, So please remove/uninstall the Ver you have now and install this new Ver.

 

Download HJTInstall.exe to your Desktop.

 

    Doubleclick HJTInstall.exe to install it.
    By default it will install to C:\Program Files\Trend Micro\HijackThis .
    Click on Install.
    It will create a HijackThis icon on the desktop.
    Once installed, it will launch HijackThis.
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    Save the log to a convenient location as you'll need to post it soon.
    Don't use the Analyse This button, its findings are dangerous if misinterpreted.
    Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

====================

 

Then before you come back here. Run this online scan for me and post it's results here along with the other logfiles.

 

Please perform this online scan: Kaspersky Webscan

Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.

Read the Requirements and Privacy statement, then select "Accept"

A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

Select "Install" to download the ActiveX controls that allows ActiveScan to run.

 

When the download is complete it will say ready, click "Next"

Select a target to scan: Click on "My Computer"

When the scan is complete choose to save the results as "Save as Text"

Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

 

Gogo

Share this post


Link to post
Share on other sites

Hi HJThis,

 

i ran the Kaspersky Webscan as you instructed but once it reached 100% (after almost 2hrs...) it showed an error in the bottom left of my browser and then restarted from the Terms and COnditions page. I can remember that it detected 9 viruses and about 26 infected file though before it restarted. Should i run it again?

 

Here's my log from the Hijackthis.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:47:00 AM, on 11/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\WINDOWS\System32\igfxext.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Fujitsu\updnavi\updnavi.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\3M\PSNotes2\Psn2.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\PROGRA~1\3M\PSNotes2\PSNGive.exe

C:\PROGRA~1\3M\PSNotes2\PsnMSIME.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {44ACCF91-3A86-49AE-9C63-A80AD3CF09E4} - C:\WINDOWS\system32\hhsetu.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe

O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.118.43.106/activex/AxisCamControl.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

 

--

End of file - 9073 bytes

 

 

With regards to the antivirus programs, i only have 2 antiviruses, AVG and Trend. Can you advice me which is the 3rd one that i might have unwittingly installed?

 

Thanks a lot of your help HJThis!

 

Cheers!

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

First my bad I seen this here NORTON and was thinking you had three, But I will say two is just as bad as 3, 4, or 5, It will just start to slow down PC. And just give you all types of problems. Also it will not make you any safer. The best thing to do is Uninstall all but the one you like best then make sure to keep it updated.

 

 

Also I need to have a file looked at if you please.

 

Please submit the following files for analysis.

 

Jotti File Submission:

 

[*]Please go to Jotti's malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

[*]C:\WINDOWS\system32\hhsetu.dll

[*]Click on the submit button

[*]Please post the results in your next reply.

 

Please note that if you are submitting more than one file they will have to be entered one at a time.

 

 

And I see your using MessengerPlus3 I'm going to give you a link for info have a look.

 

http://inetexplorer.mvps.org/answers/43.html

 

======================

 

Please come back with the scan Results of the file above.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi HJThis,

 

i managed to run the Kaspersky scan successfully this time and here are the results :

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Wednesday, November 21, 2007 12:48:43 AM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 20/11/2007

Kaspersky Anti-Virus database records: 462293

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 79533

Number of viruses found: 9

Number of infected objects: 21

Number of suspicious objects: 0

Duration of the scan process: 01:24:22

 

Infected Object Name / Virus Name / Last Action

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\hhsetu.dll Infected: Trojan.Win32.BHO.yr skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\CSC000001 Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Adrian See\ntuser.dat Object is locked skipped

C:\Documents and Settings\Adrian See\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Adrian See\UserData\index.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\nsb5F.tmp\setup_superiorads.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\nsb5F.tmp\setup_superiorads.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\nsb5F.tmp\setup_superiorads.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\nsb5F.tmp\dcads40.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\nsb5F.tmp\dcads40.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\nsb5F.tmp\dcads40.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\aupd.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.ko skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\aupd.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ko skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\aupd.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF4925.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF1CBF.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF1CC6.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF9094.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF9193.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF1015.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temp\~DF10EA.tmp Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\History\History.IE5\MSHist012007112120071122\index.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Adrian See\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Adrian See\Desktop\Downloads\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped

C:\Documents and Settings\Adrian See\Desktop\Downloads\mirc617.exe mIRC: infected - 1 skipped

C:\Documents and Settings\Adrian See\Cookies\index.dat Object is locked skipped

C:\Program Files\Common Files\SearchUpgrader\SearchUpgrader_808.VIR Infected: Trojan-Downloader.Win32.Keenval.g skipped

C:\Program Files\Sygate\SPF\debug.log Object is locked skipped

C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped

C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped

C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped

C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped

C:\Program Files\3M\PSNotes2\PSNData Object is locked skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped

C:\System Volume Information\_restore{FC978B85-0ABB-49C2-84D4-8297EF98FB05}\RP549\A0191290.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped

C:\System Volume Information\_restore{FC978B85-0ABB-49C2-84D4-8297EF98FB05}\RP549\A0191290.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped

C:\System Volume Information\_restore{FC978B85-0ABB-49C2-84D4-8297EF98FB05}\RP549\A0191290.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{FC978B85-0ABB-49C2-84D4-8297EF98FB05}\RP551\change.log Object is locked skipped

C:\BackUpMSNCleaner\image28.zip.vir/image28-www.photobucket.com Infected: Backdoor.Win32.IRCBot.aov skipped

C:\BackUpMSNCleaner\image28.zip.vir ZIP: infected - 1 skipped

C:\BackUpMSNCleaner\image28.zip.vir CryptFF.b: infected - 1 skipped

C:\MIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.91 skipped

 

Scan process completed.

 

 

The Jotti Scan you requested is below :

 

Scan taken on 20 Nov 2007 16:58:12 (GMT)

A-Squared Found nothing

AntiVir Found TR/BHO.YR

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found Generic2.WTQ

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found Trojan.Iespy

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found Trojan.Win32.BHO.yr

Fortinet Found nothing

Ikarus Found Trojan-PWS.Win32.Lmir

Kaspersky Anti-Virus Found Trojan.Win32.BHO.yr

NOD32 Found probably a variant of Win32/Adware.BHO.NBI application (probable variant)

Norman Virus Control Found W32/BHO.AQQ

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

Last file scanned at least one scanner reported something about: ACDSee_Pro_2.0_build_219_Public_Beta.zip (MD5: eacfe0937d3aaf4201bd2bfadd552cae, size: 628148 bytes), detected by:

 

Scanner Malware name

A-Squared X

AntiVir X

ArcaVir X

Avast X

AVG Antivirus IRC/BackDoor.SdBot3.VPP

BitDefender Win32.Bagle.STK

ClamAV PUA.Packed.Themida

CPsecure X

Dr.Web Win32.HLLM.Beagle

F-Prot Antivirus X

F-Secure Anti-Virus Trojan-Downloader.Win32.Bagle.fx

Fortinet X

Ikarus Suspect code-parts

Kaspersky Anti-Virus Trojan-Downloader.Win32.Bagle.fx

NOD32 X

Norman Virus Control SDBot.gen8

Panda Antivirus X

Rising Antivirus X

Sophos Antivirus X

VirusBuster Trojan.DL.Bagle.QP

VBA32 X

 

 

Really appreciate your help! Thanks a lot!

 

Cheers!

VagaBond_82

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Did you have a look at the link for MessengerPlus3, If so may I have a new HijackThis logfile.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi HJThis,

 

as requested, i've uninstalled and reinstalled my MSN Messenger. Did not choose any optional stuff they wanted to install for me. Here's the log :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10:33 AM, on 11/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Fujitsu\updnavi\updnavi.exe

C:\WINDOWS\System32\igfxext.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSNotes2\Psn2.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\PROGRA~1\3M\PSNotes2\PSNGive.exe

C:\PROGRA~1\3M\PSNotes2\PsnMSIME.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Windows Live\installer\WLSetupSvc.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {44ACCF91-3A86-49AE-9C63-A80AD3CF09E4} - C:\WINDOWS\system32\hhsetu.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe

O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.118.43.106/activex/AxisCamControl.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

 

--

End of file - 9397 bytes

 

 

Cheers!

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Nice work

 

Next please download the Killbox by Option^Explicit.

 

Note: In the event you already have Killbox, this is a new version that I need you to download.

 

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select:

o Delete on Reboot

o then Click on the All Files button.

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

 

C:\WINDOWS\system32\hhsetu.dll

 

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.

* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (just please let me know if you receive this message!).

 

If your computer does not restart automatically, please restart it manually.

 

 

P.S. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

 

 

========================

 

Then show me new HijackThis logfile.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Here you go, HJThis.

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:45:25 PM, on 11/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Fujitsu\updnavi\updnavi.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\System32\igfxext.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSNotes2\Psn2.exe

C:\PROGRA~1\3M\PSNotes2\PSNGive.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\PROGRA~1\3M\PSNotes2\PsnMSIME.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {44ACCF91-3A86-49AE-9C63-A80AD3CF09E4} - C:\WINDOWS\system32\hhsetu.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe

O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.118.43.106/activex/AxisCamControl.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

 

--

End of file - 9451 bytes

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Make sure you can view hidden files.

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

**These files are hidden to stop you accidentally removing something important.

It is advisable to hide them again after fixing your computer.**

 

=====================

 

Backup the Registry:

 

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

======================

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

( Do not copy the word quote)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ACCF91-3A86-49AE-9C63-A80AD3CF09E4}]

 

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

 

=====================

 

Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

 

O2 - BHO: (no name) - {44ACCF91-3A86-49AE-9C63-A80AD3CF09E4} - C:\WINDOWS\system32\hhsetu.dll

 

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Then exit Or Close HijackThis.

 

=====================

 

Reboot into safe mode. To do so, restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

 

=====================

 

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FILES (if present):

 

C:\WINDOWS\system32\hhsetu.dll<---This file

 

=====================

 

For Internet Explorer 7

    Click Start, click Control Panel, and then double-click Internet Options.
    On the General tab, click Delete... under Browsing History.
    Next to Temporary Internet Files, click Delete files, and then click OK.
    Next to Cookies, click Delete cookies, and then click OK.
    Next to History, click Delete history, and then click OK.
    Click the Close button.
    Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

 

======================

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

 

Reboot to Normal mode.

 

Then run HijackThis again show me logfile. Also give me some feedback is PC! doing any better.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi HJThis,

 

i've followed your instructions but when i tried to delete the C:\windows\system32\hhsetu.dll from Windows Explorer i was unable to do so and a window appeared saying that Access is Denied. Pls advise. Thanks!

 

Cheers!

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

You did try this in Safe Mode right? and also Make sure you can view hidden files. As I had posted above anyways see if this may help. Now once in Safe Mode make sure to try this CTRL-ALT-DEL and kill any unknown programs, and processes, Then see if it will let you delete the file.

 

If no try this

 

Click Start >> Run >> Type CMD click Ok

 

del C:\windows\system32\hhsetu.dll

 

Give this a try let me know.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi HJThis,

 

yup i ran it in safe mode again and followed ur instructions to the letter.

I've also tried it in the CMD mode but it still says ACCESS IS DENIED. Pls advice.

 

Thanks!

 

Cheers!

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Hmm it's not playing nice for us A. Let's see if this tool may help.

 

Now download The Avenger

by Swandog46, and save it to your Desktop.

 

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Check the 'Input script manually' box.

Click on the magnifying glass icon.

Copy everything in the Quote box below, and paste it in the box that opens:

 

Files to delete:

C:\windows\system32\hhsetu.dll

Now click the 'Done' button.

Click on the traffic light icon and OK the prompt.

You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt

 

Gogo :lol:

Share this post


Link to post
Share on other sites

Nope still not working. This is one nasty bug...

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\sjtgtsws

 

*******************

 

Script file located at: \??\C:\sqbfrcea.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

Could not open file C:\windows\system32\hhsetu.dll for deletion

Deletion of file C:\windows\system32\hhsetu.dll failed!

 

Could not process line:

C:\windows\system32\hhsetu.dll

Status: 0xc0000022

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

Cheers!

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Hmm I'm going to look up some info see why I can't kill this file. Please if I don't get back to you right away send me a PM it's all cool. I will get back to you on this.

 

Gogo :angry:

Share this post


Link to post
Share on other sites

Hey.VagaBond_82

 

Let's try and run a ComboFix, see what if anything may show up for us both.

 

Download ComboFix from Here or Here to your Desktop.

 

[*]Double click combofix.exe and follow the prompts.

[*]When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply

 

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Gogo :angry:

Share this post


Link to post
Share on other sites

Hi HJTHis,

 

glad to hear from you again.

 

Here's the log from ComboFix :

 

ComboFix 07-11-19.4C - Adrian 2007-11-30 21:00:35.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.99 [GMT 8:00]

Running from: C:\Documents and Settings\Adrian See\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\Fonts\acrsecI.fon

C:\WINDOWS\system32\drivers\hcgzxkho.dat

C:\WINDOWS\system32\drivers\nomyesqy.dat

C:\WINDOWS\system32\hhsetu.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_UFQAWLED

-------\ufqawled

 

 

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))

.

 

2007-11-21 10:42 <DIR> d-------- C:\Program Files\Windows Live

2007-11-21 10:42 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller

2007-11-21 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2007-11-20 09:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-11-20 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-11-20 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

2007-11-09 14:05 <DIR> d-------- C:\Program Files\iPod

2007-11-09 01:56 104,960 --a------ C:\WINDOWS\system32\hhsetu.1

2007-10-18 11:31 51,224 --a------ C:\WINDOWS\system32\sirenacm.dll

2007-10-10 23:35 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2007-10-03 11:37 <DIR> d-------- C:\Program Files\iTunes

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-21 18:24 98,277,680 ----a-w C:\registrybackup.reg

2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe

2007-09-25 06:50 8,134,698 ----a-w C:\WINDOWS\Mammut Bouldering.SCR

2007-08-28 01:30 27,262,976 ----a-w C:\VIRTPART.DAT

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 15:56 C:\WINDOWS\system32\irprops.cpl]

"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-11-13 15:26]

"AGRSMMSG"="AGRSMMSG.exe" [2003-09-24 02:06 C:\WINDOWS\AGRSMMSG.exe]

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-06 02:16]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-16 21:19]

"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 09:37]

"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2003-08-21 09:29]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 14:19]

"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 16:33]

"FJUPDNV_Chitose"="C:\Program Files\Fujitsu\updnavi\updnavi.exe" [2004-02-19 07:34]

"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-05-18 18:09]

"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [1998-11-30 18:04]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-23 01:49]

"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

National University of Singapore NUS-VPN Client.lnk - C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe [2004-07-22 22:35:23]

Post-itr Software Notes.lnk - C:\Program Files\3M\PSNotes2\Psn2.exe [2002-01-21 08:00:24]

HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:16:08]

DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-08-01 15:43:51]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

C:\WINDOWS\System32\LgNotify.dll 2004-03-03 16:48 110592 C:\WINDOWS\system32\LgNotify.dll

 

R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys

R2 CVPNDRV;National University of Singapore IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRV.sys

S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys

S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys

S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{733ae340-63ba-11dc-875f-000e352d21a5}]

\Shell\AutoRun\command - F:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{733ae341-63ba-11dc-875f-000e352d21a5}]

\Shell\AutoRun\command - F:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8297c1e0-e508-11db-863a-000e352d21a5}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e

\Shell\Open\command - Boot.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7c0f6e0-763c-11dc-879b-000e352d21a5}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

 

.

Contents of the 'Scheduled Tasks' folder

"2007-11-30 02:01:10 C:\WINDOWS\Tasks\User_Feed_Synchronization-{2BCB298F-2BB8-4BFE-9F06-7D2C8C79D733}.job"

- C:\WINDOWS\system32\msfeedssync.exe

"2007-11-12 09:36:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-30 21:23:38

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-11-30 21:25:14 - machine was rebooted

.

--- E O F ---

 

 

 

 

 

 

And here's the log from Hijack This :

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:26:27 PM, on 11/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\WINDOWS\System32\hkcmd.exe

 

Thanks for the help!

 

VagaBond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Let's see

 

1. Close any open browsers.

 

2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.

 

File::

C:\WINDOWS\system32\hhsetu.1

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

 

When finished, it will produce a log for you at "C:\ComboFix.txt"

 

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

 

Then come back here with both the HijackThis log and ComboFix.txt

 

 

Gogo :wub:

Share this post


Link to post
Share on other sites

Here's the logs you requested. I realise my browser is not getting hijacked by Search-Daily.com anymore...

 

ComboFix 07-11-19.4C - Adrian 2007-12-01 0:58:56.2 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT 8:00]

Running from: C:\Documents and Settings\Adrian See\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Adrian See\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\WINDOWS\system32\hhsetu.1

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\hhsetu.1

 

.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))

.

 

2007-11-23 01:06 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-11-23 01:06 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2007-11-22 02:23 98,277,680 --a------ C:\registrybackup.reg

2007-11-21 20:37 <DIR> d-------- C:\!KillBox

2007-11-21 10:42 <DIR> d-------- C:\Program Files\Windows Live

2007-11-21 10:42 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller

2007-11-21 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2007-11-20 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-11-20 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

2007-11-09 14:05 <DIR> d-------- C:\Program Files\iPod

2007-11-07 11:57 <DIR> d-------- C:\BackUpMSNCleaner

2007-10-18 11:31 51,224 --a------ C:\WINDOWS\system32\sirenacm.dll

2007-10-03 11:37 <DIR> d-------- C:\Program Files\iTunes

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe

2007-09-25 06:50 8,134,698 ----a-w C:\WINDOWS\Mammut Bouldering.SCR

2007-08-28 01:30 27,262,976 ----a-w C:\VIRTPART.DAT

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll

2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll

2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll

2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll

2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll

2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll

2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll

2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll

2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll

2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll

2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll

2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll

2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll

2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll

2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll

2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll

2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll

2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll

2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll

2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll

2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll

2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll

2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll

.

 

((((((((((((((((((((((((((((( [email protected]_21.24.55.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 15:56 C:\WINDOWS\system32\irprops.cpl]

"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-11-13 15:26]

"AGRSMMSG"="AGRSMMSG.exe" [2003-09-24 02:06 C:\WINDOWS\AGRSMMSG.exe]

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-06 02:16]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-16 21:19]

"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 09:37]

"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2003-08-21 09:29]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 14:19]

"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 16:33]

"FJUPDNV_Chitose"="C:\Program Files\Fujitsu\updnavi\updnavi.exe" [2004-02-19 07:34]

"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-05-18 18:09]

"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [1998-11-30 18:04]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-23 01:49]

"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

National University of Singapore NUS-VPN Client.lnk - C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe [2004-07-22 22:35:23]

Post-itr Software Notes.lnk - C:\Program Files\3M\PSNotes2\Psn2.exe [2002-01-21 08:00:24]

HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:16:08]

DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-08-01 15:43:51]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

C:\WINDOWS\System32\LgNotify.dll 2004-03-03 16:48 110592 C:\WINDOWS\system32\LgNotify.dll

 

R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys

R2 CVPNDRV;National University of Singapore IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRV.sys

S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys

S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys

S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{733ae340-63ba-11dc-875f-000e352d21a5}]

\Shell\AutoRun\command - F:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{733ae341-63ba-11dc-875f-000e352d21a5}]

\Shell\AutoRun\command - F:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8297c1e0-e508-11db-863a-000e352d21a5}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e

\Shell\Open\command - Boot.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7c0f6e0-763c-11dc-879b-000e352d21a5}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

 

.

Contents of the 'Scheduled Tasks' folder

"2007-11-30 02:01:10 C:\WINDOWS\Tasks\User_Feed_Synchronization-{2BCB298F-2BB8-4BFE-9F06-7D2C8C79D733}.job"

- C:\WINDOWS\system32\msfeedssync.exe

"2007-11-12 09:36:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-01 01:01:14

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-01 1:01:39

C:\ComboFix2.txt ... 2007-11-30 21:25

.

--- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:04:56 AM, on 12/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Fujitsu\updnavi\updnavi.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINDOWS\System32\igfxext.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [indicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe

O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\National University of Singapore\NUS-VPN Client\ipsecdialer.exe

O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.118.43.106/activex/AxisCamControl.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\National University of Singapore\NUS-VPN Client\cvpnd.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

 

--

End of file - 9151 bytes

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Nice work it looks like you got it. But how is the PC, doing better.

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi HJThis,

 

everything seems fine and dandy now. After so many programs and scans finally i can google normally again. Thanks a lot for your help! Really appreciate the effort you put in! ;) Great job!!!

 

Cheers!

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Great if your not having any type of problems now,do this here please.

 

Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u It needs to be there.

 

The above procedure will:

 

* Delete the following:

o ComboFix and its associated files and folders.

o VundoFix backups, if present

o The C:\Deckard folder, if present

o The C:_OtMoveIt folder, if present

* Reset the clock settings.

* Hide file extensions, if required.

* Hide System/Hidden files, if required.

* Set a new, clean Restore Point.

 

========================

 

As for the Killbox tool and The Avenger you can go to were you Extract and delete the folders made. But again do this only if you feel there is no longer a problem with the PC.

 

========================

 

After take these last steps for me let me know how it goes.

 

 

Please take these following steps to help prevent reinfection:

 

1) Download and install Javacool's SpywareBlaster | # Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.

# Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

# Restrict the actions of potentially unwanted sites in Internet Explorer.

 

 

2) Download IE-Spyad | works by importing a large file of registry entries into your registry.A tutorial on it can be found here

 

 

3) Go to Windows Update | Frequently Make sure to check for the latest updates.

 

 

4) All of these great programs will not do a thing for you. If none are kept updated. So please check all of them for the latest updates.

 

 

5) Please make it a point to have a look at. this great site, By the Master Miekiemoes.

miekiemoes Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

 

Regards

 

Gogo ;)

Share this post


Link to post
Share on other sites

Whoops...we got a bit of a problem....heheh i was overzealous in getting a clean laptop again that i went to delete all the programmes you told me to install. So i can't run the command now coz it says that ComboFix is not found... What should i do?

 

Vagabond

Share this post


Link to post
Share on other sites

Hi.VagaBond_82

 

Sorry my friend but I don't seem to follow what your saying. Did you go and try to delete the files, and you got files not found.?

 

Gogo ;)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0