HJT Log - Unable to successfully remove a spyware

BullGuard Antivirus Forum > General Security > Spyware > HJT Log - Unable to successfully remove a spyware

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

dohjai
New Member

Date Joined Jan 2007
Total Posts : 9

Posted 1-4-2007 2:57 (GMT +1)

Hi guys, I've got this spyware on my PC for the past couple of weeks that I'm unable to get rid of. I've scanned for viruses with NIS 2007 and I've used Ad-aware, Spybot S&D, Webroot Spy Sweeper, A-squared, Ewido online scan, and it's still stuck in my PC. I think it's related to the line O4 - HKCU\..\Run: [funk iso] F:\DOCUME~1\dohjai\APPLIC~1\BINDSI~1\plus user.exe. I've manually removed it and also with the tools and it keeps coming back after a reboot. Also, I have two IEXPLORE.EXE (in caps) running in the background that keeps coming back even if I kill the process. Ads will pop up if I use IE, but Firefox is fine. Please kindly help me clean this thing. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 9:44:52 PM, on 1/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
F:\Program Files\Analog Devices\SoundMAX\Smax4.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\a-squared Anti-Malware\a2guard.exe
F:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
f:\progra~1\intern~1\iexplore.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Common Files\Teleca Shared\Generic.exe
F:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
F:\Program Files\MSN Messenger\usnsvc.exe
F:\WINDOWS\system32\conime.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\dohjai\LOCALS~1\Temp\Rar$EX01.328\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Powermarks - {6172E460-FAE3-11D2-B494-004005A47AAA} - F:\PROGRA~1\POWERM~1.5\iec.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Powermarks - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - F:\PROGRA~1\POWERM~1.5\iec.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "F:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [a-squared] "F:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [funk iso] F:\DOCUME~1\dohjai\APPLIC~1\BINDSI~1\plus user.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Advanced URL Catalog - {00954C80-AC0F-11d3-B17C-00C0DFE39736} - F:\Program Files\Advanced URL Catalog\Advanced URL Catalog.exe
O9 - Extra 'Tools' menuitem: Advanced URL Catalog - {00954C80-AC0F-11d3-B17C-00C0DFE39736} - F:\Program Files\Advanced URL Catalog\Advanced URL Catalog.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
O16 - DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} (AcQVPlayer Control) - http://sanstream.dtc.co.jp/cab/AcQVPlayerX.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4D7E6AA-FBAF-4AF8-B20E-79E9B8A74C7A}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - F:\Program Files\Windows Live Mail desktop\mailcomm.dll
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-4-2007 3:32 (GMT +1)

Hi dohjai

It looks You´ve got a lop infection -

Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it

Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.

A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with new hijackthis log

-----------------------------------------------------------------------
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --
http://www.ascentive.com/support/new/support_dll.phtml?dllname=MSCOMCTL.OCX

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

dohjai
New Member

Date Joined Jan 2007
Total Posts : 9

Posted 1-4-2007 4:29 (GMT +1)

Thanks for your reply! I've attached the NoLop log and the new HJT log. I do recall that one of the scans with the previous tools I used did remove a LOP spyware. Also, I notice that F:\Documents and Settings\Dohjai\Application Data\Bind Site Dart still contains the files gwbxijie.exe, plus user.exe, Wipeskip2.exe, and a hidden system file named 233D05DB (no extension). Can I manually remove this directory? After scanning and cleaning with NoLop!, and rebooting, the 2 IEXPLORE.EXE processes are still running in the background. Hope there's a way to clean this without having to format the hdd. Thanks!

NoLop! Log by Skate_Punk_21

Fix running from: F:\Program Files\Mozilla Firefox
[1/4/2007]
[11:13:23 PM]

---Infection Files Found/Removed---
F:\WINDOWS\tasks\BB0376CA964D17CE.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

F:\Documents and Settings\All Users\Application Data\Adobe
F:\Documents and Settings\All Users\Application Data\Apple Computer
F:\Documents and Settings\All Users\Application Data\Cyberlink
F:\Documents and Settings\All Users\Application Data\Hdd Thermometer
F:\Documents and Settings\All Users\Application Data\Microsoft
F:\Documents and Settings\All Users\Application Data\Save Bash Lies Intra
F:\Documents and Settings\All Users\Application Data\Sony Ericsson
F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
F:\Documents and Settings\All Users\Application Data\Symantec
F:\Documents and Settings\All Users\Application Data\Teleca
F:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
F:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
F:\Documents and Settings\Default User\Application Data\Microsoft
F:\Documents and Settings\Dohjai\Application Data\Adobe
F:\Documents and Settings\Dohjai\Application Data\Adobeum
F:\Documents and Settings\Dohjai\Application Data\Ahead
F:\Documents and Settings\Dohjai\Application Data\Aignes
F:\Documents and Settings\Dohjai\Application Data\Apple Computer
F:\Documents and Settings\Dohjai\Application Data\Ati -- EMPTY Directory
F:\Documents and Settings\Dohjai\Application Data\Bind Site Dart
F:\Documents and Settings\Dohjai\Application Data\Cyberlink
F:\Documents and Settings\Dohjai\Application Data\Google
F:\Documents and Settings\Dohjai\Application Data\Hdd Thermometer
F:\Documents and Settings\Dohjai\Application Data\Help -- EMPTY Directory
F:\Documents and Settings\Dohjai\Application Data\Icaclient
F:\Documents and Settings\Dohjai\Application Data\Icqlite
F:\Documents and Settings\Dohjai\Application Data\Identities
F:\Documents and Settings\Dohjai\Application Data\Juniper Networks
F:\Documents and Settings\Dohjai\Application Data\Lavasoft
F:\Documents and Settings\Dohjai\Application Data\Logitech
F:\Documents and Settings\Dohjai\Application Data\Macromedia
F:\Documents and Settings\Dohjai\Application Data\Media Player Classic
F:\Documents and Settings\Dohjai\Application Data\Microsoft
F:\Documents and Settings\Dohjai\Application Data\Mozilla
F:\Documents and Settings\Dohjai\Application Data\Nch Swift Sound
F:\Documents and Settings\Dohjai\Application Data\Pc Tools
F:\Documents and Settings\Dohjai\Application Data\Powermarks
F:\Documents and Settings\Dohjai\Application Data\Ppstream
F:\Documents and Settings\Dohjai\Application Data\Real
F:\Documents and Settings\Dohjai\Application Data\Smartftp
F:\Documents and Settings\Dohjai\Application Data\Sun
F:\Documents and Settings\Dohjai\Application Data\Symantec
F:\Documents and Settings\Dohjai\Application Data\Talkback
F:\Documents and Settings\Dohjai\Application Data\Teleca
F:\Documents and Settings\Dohjai\Application Data\Terria Development
F:\Documents and Settings\Dohjai\Application Data\Tunebite -- EMPTY Directory
F:\Documents and Settings\Dohjai\Application Data\Webroot
F:\Documents and Settings\Dohjai\Application Data\Wholesecurity
F:\Documents and Settings\Localservice\Application Data\Microsoft
F:\Documents and Settings\Localservice\Application Data\Webroot
F:\Documents and Settings\Networkservice\Application Data\Microsoft
F:\Documents and Settings\Networkservice\Application Data\Webroot

--------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:27:44 PM, on 1/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\conime.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
F:\Program Files\Analog Devices\SoundMAX\Smax4.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
F:\WINDOWS\system32\ctfmon.exe
f:\progra~1\intern~1\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Common Files\Teleca Shared\Generic.exe
F:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\dohjai\LOCALS~1\Temp\Rar$EX03.828\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Powermarks - {6172E460-FAE3-11D2-B494-004005A47AAA} - F:\PROGRA~1\POWERM~1.5\iec.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Powermarks - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - F:\PROGRA~1\POWERM~1.5\iec.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "F:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [a-squared] "F:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [funk iso] F:\DOCUME~1\dohjai\APPLIC~1\BINDSI~1\plus user.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Advanced URL Catalog - {00954C80-AC0F-11d3-B17C-00C0DFE39736} - F:\Program Files\Advanced URL Catalog\Advanced URL Catalog.exe
O9 - Extra 'Tools' menuitem: Advanced URL Catalog - {00954C80-AC0F-11d3-B17C-00C0DFE39736} - F:\Program Files\Advanced URL Catalog\Advanced URL Catalog.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
O16 - DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} (AcQVPlayer Control) - http://sanstream.dtc.co.jp/cab/AcQVPlayerX.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4D7E6AA-FBAF-4AF8-B20E-79E9B8A74C7A}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - F:\Program Files\Windows Live Mail desktop\mailcomm.dll
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-4-2007 5:46 (GMT +1)

You should get rid of them after this fix -

Please download free Trial of Superantispyware

Superantispyware

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.

Click fix checked.

O4 - HKCU\..\Run: [funk iso] F:\DOCUME~1\dohjai\APPLIC~1\BINDSI~1\plus user.exe

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.

The Windows Advanced Options Menu appears.

Ensure that the Safe mode option is selected.

Press Enter. The computer then begins to start in Safe mode.

Delete the following files or folders (delete item in bold). Please do not be concerned if

any of the items are not found as they may have been automatically removed by actions I had

you take earlier in the cleaning process.

Folders:

F:\DOCUME~1\dohjai\APPLIC~1\BINDSI~1\plus user.exe

F:\Documents and Settings\All Users\Application Data\Save Bash Lies Intra

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Start Superantispyware/rightclick on the black/yellow bug in tray.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, let it Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh hijackthis log and tell how things are running

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

dohjai
New Member

Date Joined Jan 2007
Total Posts : 9

Posted 1-5-2007 6:29 (GMT +1)

Thanks for your help. Please see the logs below and let me know if there is anything else that needs to be cleaned up. Thanks again.

Generated 01/06/2007 at 01:04 AM

Application Version : 3.4.1000

Core Rules Database Version : 3159
Trace Rules Database Version: 1172

Scan type : Complete Scan
Total Scan Time : 01:41:48

Memory items scanned : 179
Memory threats detected : 0
Registry items scanned : 6714
Registry threats detected : 0
File items scanned : 62078
File threats detected : 11

Adware.Tracking Cookie
D:\Documents and Settings\doh\Cookies\doh@ad.hinet.txt
D:\Documents and Settings\doh\Cookies\doh@adimages.sina.com.txt
D:\Documents and Settings\doh\Cookies\doh@ads.infos-du-net.txt
D:\Documents and Settings\doh\Cookies\doh@ads.thestar.txt
D:\Documents and Settings\doh\Cookies\doh@atwola.txt
D:\Documents and Settings\doh\Cookies\doh@birta.stats.txt
D:\Documents and Settings\doh\Cookies\doh@macromedia.txt
D:\Documents and Settings\doh\Cookies\doh@realmedia.co.txt
D:\Documents and Settings\doh\Cookies\doh@windowsmedia.txt
D:\Documents and Settings\doh\Cookies\doh@www.ticketsnow2.txt
D:\Documents and Settings\doh\Cookies\doh@xiti.txt

--------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:25:25 AM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wdfmgr.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
F:\Program Files\Analog Devices\SoundMAX\Smax4.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\a-squared Anti-Malware\a2guard.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Common Files\Teleca Shared\Generic.exe
F:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\DOCUME~1\dohjai\LOCALS~1\Temp\Rar$EX00.969\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Powermarks - {6172E460-FAE3-11D2-B494-004005A47AAA} - F:\PROGRA~1\POWERM~1.5\iec.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Powermarks - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - F:\PROGRA~1\POWERM~1.5\iec.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "F:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [a-squared] "F:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Advanced URL Catalog - {00954C80-AC0F-11d3-B17C-00C0DFE39736} - F:\Program Files\Advanced URL Catalog\Advanced URL Catalog.exe
O9 - Extra 'Tools' menuitem: Advanced URL Catalog - {00954C80-AC0F-11d3-B17C-00C0DFE39736} - F:\Program Files\Advanced URL Catalog\Advanced URL Catalog.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
O16 - DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} (AcQVPlayer Control) - http://sanstream.dtc.co.jp/cab/AcQVPlayerX.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4D7E6AA-FBAF-4AF8-B20E-79E9B8A74C7A}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - F:\Program Files\Windows Live Mail desktop\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-6-2007 7:21 (GMT +1)

It looks clean to me. How are things running ?

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

dohjai
New Member

Date Joined Jan 2007
Total Posts : 9

Posted 1-6-2007 12:18 (GMT +1)

The IEXPLORE.EXE processes that are not supposed to be there are gone. No more ads popping up when using IE. But I see a rundll32.exe in the Processes tab and rundll32.exe exists in 2 places, F:\WINDOWS\system32 (which I presume is normal) and F:\Program Files\Musicmatch\Musicmatch Jukebox. I'm just a little worried about this process, is there a way to confirm that the one that is running is genuine? Thanks for your assistance.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-6-2007 12:40 (GMT +1)

It´s not supposed to be there. Rightclick on - rundll32.exe - in musicmatch folder- properties. If it´s not from microsoft- delete it.

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

dohjai
New Member

Date Joined Jan 2007
Total Posts : 9

Posted 1-6-2007 1:15 (GMT +1)

It's from Microsoft and the date modified and file size is exactly the same as the one in F:\WINDOWS\system32, being 8/4/2004 9:07AM and 33kb. I don't recall seeing this in the Processes tab previously.

dohjai
New Member

Date Joined Jan 2007
Total Posts : 9

Posted 1-6-2007 1:25 (GMT +1)

Just ran msconfig, and from the Startup tab, I see a rundll32 where the Command is rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent. I guess this would be genuine as bthprops.cpl is the Bluetooth Devices Control Panel applet. So, it appears my system is clean (I hope). Thanks for all your help, much appreciated.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-6-2007 1:45 (GMT +1)

I was glad to help smilewinkgrin

Hide systemfiles again
From Windows Explorer, go to Tools>Folder Options> View tab.
Untick - Show hidden files and folder
Tick - Hide file extensions for known types
Tick - Hide protected operating system files
Click Yes to confirm & then click OK

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore

Here are some additional software you may wish to consider using, to prevent malicious software installing in your PC - >

IE-SPYADS IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known ad/spy servers and domains to the "Restricted Zone" of Internet Explorer. (Choose between IE-SPYAD and IE-SPYAD2). Freeware

Spyware Guard Background process to check applications as they begin to run for known spyware and malicious code, produces an alert if necessary.

Freeware.

SpywareBlaster From the same company as Spyware guard, this is not a scanner, it blocks malicious objects and code from being downloaded, in addition to blocking access to sites known to download malware. Spyware Blaster runs silently in the background and does not need to be open to protect your PC.

Freeware

Make sure to keep these programs up-to-date

Check for Security Updates : Windows Update

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

Forum Information

Currently it is Saturday, November 21, 2009 3:26 PM (GMT +1)
There are a total of 73.033 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 70 reply posts. View Active Threads