# trojans and cookies. please help



## lhwai70 (Jun 14, 2008)

recently i have very slow connection and sometime it can't access to internet or my pc run very slow also. i scanned my pc with AVG antivirus and results potential cookies and trojans. i moved/heal it to the anti virus vault but it exists again in next reboot. and upload is running even no program is running [up to 40MB if i leave my pc online for an hour]. it hanged my connection too.

please help me and this is my hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:10 AM, on 2/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\PPStream\ppsap.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6362 bytes

thanks!!!


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

Welcome.








Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
Install the *Recovery Console* upon request.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

thanks for your help. im working now and i'll follow your instrustion once i go home.


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

here my log files.

Malwarebytes' Anti-Malware 1.33
Database version: 1718
Windows 5.1.2600 Service Pack 2

2/3/2009 7:28:02 PM
mbam-log-2009-02-03 (19-28-02).txt

Scan type: Quick Scan
Objects scanned: 61454
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 09-02-02.04 - lhwai 2009-02-03 20:21:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.290 [GMT 8:00]
Running from: h:\techguy\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 23:25 . 2009-02-02 23:29 d-------- C:\New Folder
2009-01-31 21:42 . 2009-01-31 21:42 d-------- c:\windows\system32\LogFiles
2009-01-31 00:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 00:40 . 2009-01-31 00:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 00:40 . 2009-01-31 00:40 d-------- c:\documents and settings\lhwai\Application Data\Malwarebytes
2009-01-31 00:40 . 2009-01-31 00:40 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 00:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 01:07 . 2009-01-29 01:07 d--h----- c:\windows\system32\GroupPolicy
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-29 00:09 . 2009-01-29 00:11 d-------- c:\program files\Spybot - Search & Destroy
2009-01-28 23:47 . 2009-01-28 23:47 d-------- c:\program files\Trend Micro
2009-01-24 02:35 . 2009-01-29 07:55 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-18 09:19 . 2009-01-18 09:19 d-------- c:\documents and settings\lhwai\Application Data\Yahoo!
2009-01-18 09:19 . 2009-01-18 09:19 d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-18 09:11 . 2009-01-18 09:13 d--h----- c:\windows\msdownld.tmp
2009-01-18 09:05 . 2009-01-18 09:13 d--h----- c:\windows\$hf_mig$
2009-01-18 09:04 . 2008-10-17 04:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-18 09:03 . 2008-10-17 04:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-18 09:03 . 2007-04-17 17:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-18 09:03 . 2007-03-08 13:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-18 09:03 . 2008-10-17 04:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-18 09:03 . 2008-10-17 04:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-18 09:03 . 2008-10-17 04:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-18 09:03 . 2008-10-17 04:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-18 09:03 . 2008-10-16 21:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-17 21:37 . 2007-08-13 18:45 78,336 --a------ c:\windows\system32\ieencode.dll
2009-01-17 21:37 . 2007-08-13 18:45 78,336 --a--c--- c:\windows\system32\dllcache\ieencode.dll
2009-01-17 21:37 . 2008-06-12 11:27 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-01-14 23:27 . 2009-01-14 23:27 d-------- c:\program files\Virtual Earth 3D
2009-01-14 23:01 . 2009-01-14 23:01 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 01:11 --------- d-----w c:\program files\Yahoo!
2009-01-15 19:04 --------- d-----w c:\documents and settings\lhwai\Application Data\ppstream
2009-01-15 18:59 --------- d-----w c:\program files\PPStream
2009-01-15 18:59 --------- d-----w c:\program files\MSN Messenger
2009-01-04 16:36 --------- d-----w c:\documents and settings\lhwai\Application Data\Ahead
2008-12-29 07:53 --------- d-----w c:\program files\GetRight
2008-12-29 07:53 --------- d-----w c:\documents and settings\my sis\Application Data\GetRight
2008-12-27 14:13 594,466 ----a-w c:\windows\system32\Codec Analyzer.zip
2008-12-20 15:55 --------- d-----w c:\documents and settings\lhwai\Application Data\AVGTOOLBAR
2008-12-16 15:34 --------- d-----w c:\documents and settings\lhwai\Application Data\GetRight
2008-12-14 11:48 --------- d-----w c:\documents and settings\my family\Application Data\Ahead
2008-12-13 11:09 --------- d-----w c:\documents and settings\my family\Application Data\AVGTOOLBAR
2008-12-13 08:43 --------- d-----w c:\documents and settings\my family\Application Data\GetRight
2008-12-12 14:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-10 13:38 --------- d-----w c:\program files\Winamp
2008-12-09 16:12 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-09 16:12 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-12-09 16:12 --------- d-----w c:\program files\AVG
2008-12-09 14:43 --------- d-----w c:\documents and settings\lhwai\Application Data\Media Player Classic
2008-12-09 14:04 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-09 13:00 --------- d-----w c:\program files\DAEMON Tools Lite
2008-12-09 12:57 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-09 12:56 --------- d-----w c:\documents and settings\lhwai\Application Data\DAEMON Tools
2008-12-08 11:49 --------- d-----w c:\documents and settings\lhwai\Application Data\Thinstall
2008-12-06 12:05 --------- d-----w c:\documents and settings\mum\Application Data\Netscape
2008-12-05 19:02 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-05 19:02 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-12-05 19:02 --------- d-----w c:\program files\Common Files\xing shared
2008-12-05 19:02 --------- d-----w c:\program files\Common Files\Real
2008-12-05 14:30 --------- d-----w c:\program files\Common Files\Ahead
2008-12-05 14:29 --------- d-----w c:\program files\Nero
2008-12-05 13:52 --------- d-----w c:\program files\Common Files\NSV
2008-12-05 13:38 --------- d-----w c:\program files\Real
2008-12-05 13:33 81,984 ----a-w c:\windows\system32\bdod.bin
2008-12-05 13:22 --------- d-----w c:\program files\Common Files\Softwin
2008-12-05 12:32 --------- d-----w c:\program files\Softwin
2008-12-05 12:29 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 12:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 12:25 --------- d-----w c:\program files\MSBuild
2008-12-05 12:25 --------- d-----w c:\program files\Microsoft Works
2008-12-05 09:58 --------- d-----w c:\documents and settings\my family\Application Data\Netscape
2008-12-04 17:08 --------- d-----w c:\program files\Sun
2008-12-04 15:48 --------- d-----w c:\program files\Netscape
2008-12-04 15:48 --------- d-----w c:\documents and settings\lhwai\Application Data\Netscape
2008-12-04 15:45 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-04 15:08 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-04 14:50 --------- d-----w c:\program files\VIA
2008-12-04 14:50 --------- d-----w c:\program files\InstallShield Installation Information
2008-12-04 14:06 --------- d-----w c:\documents and settings\lhwai\Application Data\MSN6
2008-12-04 14:00 --------- d-----w c:\documents and settings\All Users\Application Data\MSN6
2008-12-04 13:51 --------- d-----w c:\program files\microsoft frontpage
2008-11-24 14:32 57,344 ----a-w c:\windows\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2008-12-11 210296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-06 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-10 1261336]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=c:\windows\pss\GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^lhwai^Start Menu^Programs^Startup^PPS.lnk]
path=c:\documents and settings\lhwai\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 20:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 04:32 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2008-12-06 03:02 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:31 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
--a------ 2008-12-11 18:06 210296 c:\program files\PPStream\PPSAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 13:37 35328 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-10 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-10 231704]
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2008-12-04 48640]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
TCP: {5CF32727-8D67-4E04-98CC-415FF3B8C872} = 202.188.0.133 202.188.1.5
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 20:22:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-03 20:24:06
ComboFix-quarantined-files.txt 2009-02-03 12:24:04

Pre-Run: 19,960,393,728 bytes free
Post-Run: 20,862,726,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

210

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:00 PM, on 2/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PPStream\ppsap.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CF32727-8D67-4E04-98CC-415FF3B8C872}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6398 bytes

thanks for the help.


----------



## JSntgRvr (Jul 1, 2003)

Those logs look clear. Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.
*Upgrading Java*:

Download the latest version of *Java SE Runtime Environment (JRE) JRE 6 Update 12*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u12-windows-i586-p.exe* and select "Run as an Administrator.")


----------



## lhwai70 (Jun 14, 2008)

sorry for the late reply because my connection was interrupted.
here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, February 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 06, 2009 13:52:27
Records in database: 1759606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 42157
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:25:03

File name / Threat name / Threats count
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K5UR0T6Z\bkoyx[1].jpg Infected: Net-Worm.Win32.Kido.t 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1

The selected area was scanned.


----------



## lhwai70 (Jun 14, 2008)

*hi JSntgSvr,

*this popped out a couple minutes after i access to internet.
*
generic host process for Win32 Services has encountered a problem and need to close

error report:

Even Type:BEX
P1:svchost.exe
P2:5.1.2600.2180 P3:4107ed6
P4:netapi32.dll
P5:5.1.2600.2180
P6:41109ac
P7:0000a3cd
P8:c0000409
P9:00000000

this error included information regarding condition of Generic Host Process for Win32 Services when the problem occoured, the operating system and computer hardware in use, and the content Protocol (IP) address as your computer
C:\DOCUME~1\lhwai\LOCALS\Temp\WERd3e0.dir00\svchost.exe.mdmp
C:\DOCUME~1\lhwai\LOCALS\Temp\WERd3e0.dir00\appcompat.txt

*my connection is still shown connected but hanged and can't disconnect and not even access to internet.
and windows can't renewing my IP address when i try to repair the connection.
this is why i had used so many days to get my work done to post it to you.

and just now it couldn't continue sign in to techguy after i typed my password. it very annoying me.

till now the upload volume reaches over 100MB.

thank you for still being with me.


----------



## JSntgRvr (Jul 1, 2003)

Please remove *Real Toolbar* and *PPStream* if present in your Add/Remove programs option in the Control Panel.


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
Files::
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K5UR0T6Z\bkoyx[1].jpg 
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll

Folder::
c:\program files\PPStream

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPS Accelerator"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\PPStream\\PPSAP.exe"=-
```










Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a Hijackthis log.

Reset Windows Sockets:


Enter your *Control Panel *and double-click on *Network Connections*
Then right click on your *Default Connection*
Usually Local Area Connection for Cable and DSL, or AOL Connection.

Left click on *Properties*
Double-Click on the *Internet Protocol (TCP/IP*) item
Select the radio dial that says *Obtain DNS Servers Automatically*
Press OK twice to get out of the properties screen
Go to *Start*->*Run*->Type *CMD* and click *Ok*. The *MSDOS* Window will be displayed. At the command prompt, type the following and press *Enter* after each line:

*
netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
ipconfig /flushdns* (The space between g and / is needed)
*Exit*

Restart the computer.

Let me know if there has been an improvement.


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

i had done the combofix and follow your instructions. after the combofix had done, the spybot SD-Resident pop out and said something try to write in my regisry. i had denied it all and here is the log attached. is it will effect my pc??

and i removed the PPStream in the add/remove program after i done all your instruction. is it ok??

ComboFix 09-02-02.04 - lhwai 2009-02-08 20:37:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.237 [GMT 8:00]
Running from: c:\documents and settings\lhwai\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lhwai\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PPStream
c:\program files\PPStream\1.1.0.2640\fds.dll
c:\program files\PPStream\1.1.0.2640\Livenet.dll
c:\program files\PPStream\1.1.0.2640\livenet2.dll
c:\program files\PPStream\1.1.0.2640\MList.ocx
c:\program files\PPStream\1.1.0.2640\msvcp60.dll
c:\program files\PPStream\1.1.0.2640\powerlist.ocx
c:\program files\PPStream\1.1.0.2640\powerplayer.dll
c:\program files\PPStream\1.1.0.2640\pp2play.dll
c:\program files\PPStream\1.1.0.2640\ppsimage.dll
c:\program files\PPStream\1.1.0.2640\ppssg.dll
c:\program files\PPStream\1.1.0.2640\psclg.dll
c:\program files\PPStream\1.1.0.2640\psnetwork.dll
c:\program files\PPStream\1.1.0.2640\vodnet.dll
c:\program files\PPStream\1.1.0.2640\vodres.dll
c:\program files\PPStream\assoc.ini
c:\program files\PPStream\codec\Codec Analyzer.xml
c:\program files\PPStream\codec\Cooker.xml
c:\program files\PPStream\codec\declrds.ax
c:\program files\PPStream\codec\keys.dat
c:\program files\PPStream\codec\pncrt.dll
c:\program files\PPStream\codec\real.zip
c:\program files\PPStream\codec\Real\Codecs\14_43260.dll
c:\program files\PPStream\codec\Real\Codecs\28_83260.dll
c:\program files\PPStream\codec\Real\Codecs\atrc.dll
c:\program files\PPStream\codec\Real\Codecs\cook.dll
c:\program files\PPStream\codec\Real\Codecs\cook.dll.bak
c:\program files\PPStream\codec\Real\Codecs\ddnt3260.dll
c:\program files\PPStream\codec\Real\Codecs\dnet3260.dll
c:\program files\PPStream\codec\Real\Codecs\drv1.dll
c:\program files\PPStream\codec\Real\Codecs\drv2.dll
c:\program files\PPStream\codec\Real\Codecs\drvc.dll
c:\program files\PPStream\codec\Real\Codecs\hxltcolor.dll
c:\program files\PPStream\codec\Real\Codecs\raac.dll
c:\program files\PPStream\codec\Real\Codecs\ralf.dll
c:\program files\PPStream\codec\Real\Codecs\rv10.dll
c:\program files\PPStream\codec\Real\Codecs\rv20.dll
c:\program files\PPStream\codec\Real\Codecs\rv30.dll
c:\program files\PPStream\codec\Real\Codecs\rv40.dll
c:\program files\PPStream\codec\Real\Codecs\sipr.dll
c:\program files\PPStream\codec\RealVideo 1.xml
c:\program files\PPStream\codec\RealVideo 2.xml
c:\program files\PPStream\codec\RealVideo 3.xml
c:\program files\PPStream\codec\RealVideo 4.xml
c:\program files\PPStream\codec\rmsplt.ax
c:\program files\PPStream\fds.dll
c:\program files\PPStream\help.url
c:\program files\PPStream\Livenet.dll
c:\program files\PPStream\Livenet2.dll
c:\program files\PPStream\MList.ocx
c:\program files\PPStream\msvcp60.dll
c:\program files\PPStream\PowerList.ocx
c:\program files\PPStream\PowerPlayer.dll
c:\program files\PPStream\pp2play.dll
c:\program files\PPStream\pps.url
c:\program files\PPStream\PPSAP.exe
c:\program files\PPStream\ppsimage.dll
c:\program files\PPStream\ppssg.dll
c:\program files\PPStream\PPStream.exe
c:\program files\PPStream\psclg.dll
c:\program files\PPStream\PSNetwork.dll
c:\program files\PPStream\settings.ini
c:\program files\PPStream\Sound\kac.wav
c:\program files\PPStream\Sound\min.wav
c:\program files\PPStream\Sound\tabselect.wav
c:\program files\PPStream\unpps.exe
c:\program files\PPStream\update.exe
c:\program files\PPStream\update.ini
c:\program files\PPStream\update\ppstreamsetup_update1211v2.exe
c:\program files\PPStream\ups.ini
c:\program files\PPStream\Vista.ssk
c:\program files\PPStream\vodnet.dll
c:\program files\PPStream\vodres.dll
c:\program files\PPStream\whatsnew.txt

.
((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-05 21:47 . 2009-02-05 21:47 d-------- c:\windows\Sun
2009-02-05 21:38 . 2009-02-05 21:38 d-------- c:\program files\Java
2009-02-05 21:38 . 2009-02-05 21:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-05 21:38 . 2009-02-05 21:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-02 23:25 . 2009-02-02 23:29 d-------- C:\New Folder
2009-01-31 21:42 . 2009-01-31 21:42 d-------- c:\windows\system32\LogFiles
2009-01-31 00:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 00:40 . 2009-01-31 00:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 00:40 . 2009-01-31 00:40 d-------- c:\documents and settings\lhwai\Application Data\Malwarebytes
2009-01-31 00:40 . 2009-01-31 00:40 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 00:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 01:07 . 2009-01-29 01:07 d--h----- c:\windows\system32\GroupPolicy
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-29 00:09 . 2009-01-29 00:11 d-------- c:\program files\Spybot - Search & Destroy
2009-01-28 23:47 . 2009-01-28 23:47 d-------- c:\program files\Trend Micro
2009-01-24 02:35 . 2009-01-29 07:55 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-18 09:19 . 2009-01-18 09:19 d-------- c:\documents and settings\lhwai\Application Data\Yahoo!
2009-01-18 09:19 . 2009-01-18 09:19 d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-18 09:11 . 2009-01-18 09:13 d--h----- c:\windows\msdownld.tmp
2009-01-18 09:05 . 2009-01-18 09:13 d--h----- c:\windows\$hf_mig$
2009-01-18 09:04 . 2008-10-17 04:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-18 09:03 . 2008-10-17 04:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-18 09:03 . 2007-04-17 17:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-18 09:03 . 2007-03-08 13:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-18 09:03 . 2008-10-17 04:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-18 09:03 . 2008-10-17 04:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-18 09:03 . 2008-10-17 04:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-18 09:03 . 2008-10-17 04:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-18 09:03 . 2008-10-16 21:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-17 21:37 . 2007-08-13 18:45 78,336 --a------ c:\windows\system32\ieencode.dll
2009-01-17 21:37 . 2007-08-13 18:45 78,336 --a--c--- c:\windows\system32\dllcache\ieencode.dll
2009-01-17 21:37 . 2008-06-12 11:27 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-01-14 23:27 . 2009-01-14 23:27 d-------- c:\program files\Virtual Earth 3D
2009-01-14 23:01 . 2009-01-14 23:01 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 12:15 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-18 01:11 --------- d-----w c:\program files\Yahoo!
2009-01-15 19:04 --------- d-----w c:\documents and settings\lhwai\Application Data\ppstream
2009-01-15 18:59 --------- d-----w c:\program files\MSN Messenger
2009-01-04 16:36 --------- d-----w c:\documents and settings\lhwai\Application Data\Ahead
2008-12-29 07:53 --------- d-----w c:\program files\GetRight
2008-12-29 07:53 --------- d-----w c:\documents and settings\my sis\Application Data\GetRight
2008-12-27 14:13 594,466 ----a-w c:\windows\system32\Codec Analyzer.zip
2008-12-20 15:55 --------- d-----w c:\documents and settings\lhwai\Application Data\AVGTOOLBAR
2008-12-16 15:34 --------- d-----w c:\documents and settings\lhwai\Application Data\GetRight
2008-12-14 11:48 --------- d-----w c:\documents and settings\my family\Application Data\Ahead
2008-12-13 11:09 --------- d-----w c:\documents and settings\my family\Application Data\AVGTOOLBAR
2008-12-13 08:43 --------- d-----w c:\documents and settings\my family\Application Data\GetRight
2008-12-10 13:38 --------- d-----w c:\program files\Winamp
2008-12-09 16:12 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-09 16:12 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-12-09 16:12 --------- d-----w c:\program files\AVG
2008-12-09 14:43 --------- d-----w c:\documents and settings\lhwai\Application Data\Media Player Classic
2008-12-09 14:04 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-09 13:00 --------- d-----w c:\program files\DAEMON Tools Lite
2008-12-09 12:57 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-09 12:56 --------- d-----w c:\documents and settings\lhwai\Application Data\DAEMON Tools
2008-12-08 11:49 --------- d-----w c:\documents and settings\lhwai\Application Data\Thinstall
2008-12-05 19:02 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-05 19:02 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-12-05 13:33 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-24 14:32 57,344 ----a-w c:\windows\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((( [email protected]_20.23.06.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 13:38:34 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-02-05 13:38:34 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-05 13:38:34 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-04 14:33:00 39,992 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-04 14:38:32 39,992 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-04 14:33:00 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-04 14:38:32 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2004-08-03 22:56:44 62,976 ----a-w c:\windows\system32\yhyfiba.dll
+ 2009-02-08 12:26:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_680.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-06 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-10 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 148888]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-10 00:12 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=c:\windows\pss\GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^lhwai^Start Menu^Programs^Startup^PPS.lnk]
path=c:\documents and settings\lhwai\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 20:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 04:32 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2008-12-06 03:02 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:31 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 13:37 35328 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"6386:TCP"= 6386:TCP:WWW

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-10 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-10 231704]
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2008-12-04 48640]
S2 bbmfhyv;bbmfhyv;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BBMFHYV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bbmfhyv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 20:39:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-02-08 20:41:12
ComboFix-quarantined-files.txt 2009-02-08 12:41:07
ComboFix2.txt 2009-02-03 12:24:08

Pre-Run: 20,685,340,672 bytes free
Post-Run: 20,720,979,968 bytes free

277

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:23 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7157 bytes

the spybot SD-resident log:

2/8/2009 8:42:38 PM Denied value "PPS Accelerator" (new data: "") deleted in System Startup user entry!
2/8/2009 8:43:14 PM Denied value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
2/8/2009 8:43:17 PM Denied value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
2/8/2009 8:43:28 PM Denied value "load" (new data: "") deleted in NT startup!
2/8/2009 8:43:33 PM Denied value "scrnsave.exe" (new data: "") deleted in Desktop settings!

my connection now seem running without any problem now and no more virus detected. i'll check this for these few days

thanks for your help JSntgRvr.
just hope i'll like you, helping others.


----------



## lhwai70 (Jun 14, 2008)

just now cant load when i click the reply button. i had clicked many times and at just a flash on screen and did not load. i checked the connection, it still running. what happen??


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

Perhaps is due to a corrupted cache.








Please download *ATF Cleaner* by Atribune.
*This program is for XP and Windows 2000 only*

Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
Suspect::
c:\windows\system32\yhyfiba.dll

Driver::
bbmfhyv

NetSvc::
bbmfhyv
```










Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a Hijackthis log.

Additonally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

this is my result after perform the combofix. and the HJT log.

ComboFix 09-02-02.04 - lhwai 2009-02-09 20:25:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.251 [GMT 8:00]
Running from: c:\documents and settings\lhwai\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lhwai\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BBMFHYV
-------\Service_bbmfhyv

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-05 21:47 . 2009-02-05 21:47 d-------- c:\windows\Sun
2009-02-05 21:38 . 2009-02-05 21:38 d-------- c:\program files\Java
2009-02-05 21:38 . 2009-02-05 21:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-05 21:38 . 2009-02-05 21:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-02 23:25 . 2009-02-02 23:29 d-------- C:\New Folder
2009-01-31 21:42 . 2009-01-31 21:42 d-------- c:\windows\system32\LogFiles
2009-01-31 00:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 00:40 . 2009-01-31 00:48 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 00:40 . 2009-01-31 00:40 d-------- c:\documents and settings\lhwai\Application Data\Malwarebytes
2009-01-31 00:40 . 2009-01-31 00:40 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 00:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 01:07 . 2009-01-29 01:07 d--h----- c:\windows\system32\GroupPolicy
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-29 00:33 . 2009-01-29 00:33 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-29 00:09 . 2009-01-29 00:11 d-------- c:\program files\Spybot - Search & Destroy
2009-01-28 23:47 . 2009-01-28 23:47 d-------- c:\program files\Trend Micro
2009-01-24 02:35 . 2009-01-29 07:55 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-18 09:19 . 2009-01-18 09:19 d-------- c:\documents and settings\lhwai\Application Data\Yahoo!
2009-01-18 09:19 . 2009-01-18 09:19 d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-18 09:11 . 2009-01-18 09:13 d--h----- c:\windows\msdownld.tmp
2009-01-18 09:05 . 2009-01-18 09:13 d--h----- c:\windows\$hf_mig$
2009-01-18 09:04 . 2008-10-17 04:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-18 09:03 . 2008-10-17 04:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-18 09:03 . 2007-04-17 17:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-18 09:03 . 2007-03-08 13:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-18 09:03 . 2008-10-17 04:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-18 09:03 . 2008-10-17 04:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-18 09:03 . 2008-10-17 04:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-18 09:03 . 2008-10-17 04:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-18 09:03 . 2008-10-16 21:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-17 21:37 . 2007-08-13 18:45 78,336 --a------ c:\windows\system32\ieencode.dll
2009-01-17 21:37 . 2007-08-13 18:45 78,336 --a--c--- c:\windows\system32\dllcache\ieencode.dll
2009-01-17 21:37 . 2008-06-12 11:27 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-01-14 23:27 . 2009-01-14 23:27 d-------- c:\program files\Virtual Earth 3D
2009-01-14 23:01 . 2009-01-14 23:01 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 11:57 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-18 01:11 --------- d-----w c:\program files\Yahoo!
2009-01-15 19:04 --------- d-----w c:\documents and settings\lhwai\Application Data\ppstream
2009-01-15 18:59 --------- d-----w c:\program files\MSN Messenger
2009-01-04 16:36 --------- d-----w c:\documents and settings\lhwai\Application Data\Ahead
2008-12-29 07:53 --------- d-----w c:\program files\GetRight
2008-12-29 07:53 --------- d-----w c:\documents and settings\my sis\Application Data\GetRight
2008-12-27 14:13 594,466 ----a-w c:\windows\system32\Codec Analyzer.zip
2008-12-20 15:55 --------- d-----w c:\documents and settings\lhwai\Application Data\AVGTOOLBAR
2008-12-16 15:34 --------- d-----w c:\documents and settings\lhwai\Application Data\GetRight
2008-12-14 11:48 --------- d-----w c:\documents and settings\my family\Application Data\Ahead
2008-12-13 11:09 --------- d-----w c:\documents and settings\my family\Application Data\AVGTOOLBAR
2008-12-13 08:43 --------- d-----w c:\documents and settings\my family\Application Data\GetRight
2008-12-10 13:38 --------- d-----w c:\program files\Winamp
2008-12-09 16:12 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-09 16:12 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-12-09 16:12 --------- d-----w c:\program files\AVG
2008-12-09 14:43 --------- d-----w c:\documents and settings\lhwai\Application Data\Media Player Classic
2008-12-09 14:04 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-09 13:00 --------- d-----w c:\program files\DAEMON Tools Lite
2008-12-09 12:57 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-09 12:56 --------- d-----w c:\documents and settings\lhwai\Application Data\DAEMON Tools
2008-12-05 19:02 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-05 19:02 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-12-05 13:33 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-24 14:32 57,344 ----a-w c:\windows\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((( [email protected]_20.23.06.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2007-07-30 11:19:46 203,096 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 06:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2009-02-05 13:38:34 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-02-05 13:38:34 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-05 13:38:34 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-04 14:33:00 39,992 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-04 14:38:32 39,992 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-04 14:33:00 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-04 14:38:32 311,604 ----a-w c:\windows\system32\perfh009.dat
- 2007-07-30 11:19:46 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 06:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2004-08-03 22:56:44 62,976 ----a-w c:\windows\system32\yhyfiba.dll
+ 2009-02-09 12:29:02 16,384 ----atw c:\windows\temp\Perflib_Perfdata_53c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-06 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-10 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 148888]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-10 00:12 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=c:\windows\pss\GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^lhwai^Start Menu^Programs^Startup^PPS.lnk]
path=c:\documents and settings\lhwai\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 20:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 04:32 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2008-12-06 03:02 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:31 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 13:37 35328 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"6386:TCP"= 6386:TCP:WWW

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-10 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-10 231704]
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2008-12-04 48640]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PPS Accelerator - c:\program files\PPStream\ppsap.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Trusted Zone: xhamster.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 20:29:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)
c:\windows\system32\avgrsstx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\AVG\AVG8\avgupd.exe
.
**************************************************************************
.
Completion time: 2009-02-09 20:31:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-09 12:31:24
ComboFix2.txt 2009-02-08 12:41:13
ComboFix3.txt 2009-02-03 12:24:08

Pre-Run: 20,506,513,408 bytes free
Post-Run: 20,444,774,400 bytes free

221

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:54 PM, on 2/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CF32727-8D67-4E04-98CC-415FF3B8C872}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7083 bytes

thank you


----------



## lhwai70 (Jun 14, 2008)

HKCU-Run-PPS Accelerator - c:\program files\PPStream\ppsap.exe

i had deleted this program as according to your instruction in pass action, but this still stated in log file. is it maybe i had make a wrong sequence? and it didn't deleted/


----------



## JSntgRvr (Jul 1, 2003)

lhwai70 said:


> HKCU-Run-PPS Accelerator - c:\program files\PPStream\ppsap.exe
> 
> i had deleted this program as according to your instruction in pass action, but this still stated in log file. is it maybe i had make a wrong sequence? and it didn't deleted/


Orphans are removed by Combofix.

You weren't able to upload the file.

Look in the *C:\Qoobox\Quarantine* folder for a compressed file named *Submit [Date Time].zip*

Please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

thanks for helping me. i had submitted the file to beepingcomputer.com
and my pc is running well. i will try to run my pc for a few days more.

thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70*. 

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this *file*:

*c:\windows\system32\yhyfiba.dll*

Lets do some housekeeping:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *x* and the */u*, it needs to be there.










*Create a Restore point* (If the above process fails to do so):

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*SpywareBlaster* - Great prevention tool to keep nasties from installing on your system.

*ZonedOut + IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*ATF*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*Windows Updates* - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

* Recovery Console* - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the *Recovery Console* in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see *This Article*. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein and *this one* by *Miekiemoes*.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## lhwai70 (Jun 14, 2008)

hi JsntgRvr, 

i had done the system restore.

then i do the windows update but it can't access to the windows web site.
and in IE:

Cannot find "windowsupdate.microsoft.com"

DNS error -server cannot be found.

Browse these related search categories:

1. Window Update 6. Top Registry Cleaner 11. Vista Cheap 2. Window Vista 7. Buy Window 12. Vista Download 3. Window XP Update 8. Window Patch Management 13. Purchase Vista 4. Free Windows Update XP 9. Window 98 Buy 14. Free Window Registry Fix 5. Download Window Update 10. Windows Update Fix 15. Window Vista Prices

it direct me to a site call VMN.net and it powered by yahoo search.
what happen?

here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:16 PM, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CF32727-8D67-4E04-98CC-415FF3B8C872}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7241 bytes

my connection seems unstable again.


----------



## lhwai70 (Jun 14, 2008)

i tried to update malwarebytes' and it said no connection or firewall protection. but before this i had allowed MBM in windows firewall.
and AVG resident shields is not in AVG security components.

here my MBM log without update:

Malwarebytes' Anti-Malware 1.33
Database version: 1718
Windows 5.1.2600 Service Pack 2

2/11/2009 11:39:06 PM
mbam-log-2009-02-11 (23-39-06).txt

Scan type: Quick Scan
Objects scanned: 59759
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## lhwai70 (Jun 14, 2008)

i try again in a new tab on msn home, search for windows update, but still "server not found"

it looked normal other than this.


----------



## JSntgRvr (Jul 1, 2003)

Lets change your settings to OpenDNS:

*Windows XP*

Enter your *Control Panel *and double-click on *Network Connections*
Then right click on your *Default Connection*
Usually Local Area Connection for Cable and DSL, or AOL Connection.

Left click on *Properties*
Double-Click on the *Internet Protocol (TCP/IP*) item
You will see a setting called Use the following DNS Server Addresses. Type the following values for the preferred and alternate DNS Servers respectively.
208.67.222.222
208.67.220.220
Press OK twice to get out of the properties screen
Test and let me know.

Graphic instructions.
https://www.opendns.com/homenetwork/start/


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

i had changed the DNS address but problems still unsolved. i can access to limited sites only. my connection is always blinking unstable. 

i ran the network diagnostics for windows XP and the result is, it has restore the http and https web pages but cannot connect to the server using ftp and it caused by my firewall setting. and ask me to check it, ftp port21.
i turned off the windows firewall but still can't acces to windows update.

i tried but cannot access: windows update, AVG.com, norton.com

yahoo no problem, TSG also no problem but it still very slow and the modem alwiys blink no connectivity.


----------



## JohnWill (Oct 19, 2002)

*TCP/IP stack repair options for use with Windows XP with SP2/SP3.*

*S*tart, *R*un, *CMD* to open a command prompt:

In the command prompt window that opens, type type the following commands:

_Note: Type only the text in bold for the following commands._

Reset TCP/IP stack to installation defaults, type: *netsh int ip reset reset.log*

Reset WINSOCK entries to installation defaults, type: *netsh winsock reset catalog*

Reboot the machine.

Let's see this after the reboot.

Hold the *Windows* key and press *R*, then type *CMD* to open a command prompt:

In the command prompt window that opens, type type the following command:

_Note that there is a space before the /ALL, but there is *NOT* a space after the / in the following command._

IPCONFIG /ALL

Right click in the command window and choose *Select All*, then hit *Enter* to copy the contents to the clipboard.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.


----------



## lhwai70 (Jun 14, 2008)

hi JohnWill,

thanks for your help.
here is the IP configuration:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\lhwai>IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : wai
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-11-09-D9-21-C2
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
Lease Obtained. . . . . . . . . . : Friday, February 13, 2009 10:45:15 P
M
Lease Expires . . . . . . . . . . : Sunday, March 15, 2009 10:45:15 PM

PPP adapter streamyx2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 124.13.193.86
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 124.13.193.86
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220

C:\Documents and Settings\lhwai>


----------



## JohnWill (Oct 19, 2002)

That looks like a good connection, is there still a problem?


----------



## lhwai70 (Jun 14, 2008)

ya. i still can't access to windows update.
and my AVG resident shield has gone.


----------



## JohnWill (Oct 19, 2002)

Try resetting Reset Internet Explorer 7 Settings to their defaults.


----------



## lhwai70 (Jun 14, 2008)

still can't access to windows update after i reset the IE7 settings.
i'm usong netscape 9 too. should i reset it aslo??


----------



## JohnWill (Oct 19, 2002)

Well, I'm just trying to get IE7 working, but it seems like a common issue. Can you access any Microsoft site? Is this just update that doesn't work, or Microsoft in general? What is the exact symptom of update not working?

Let's restore a normal network configuration and remove the OpenDNS settings.

Select Start > Settings > Network Connections.


Double-click the Connection icon of the connection you wish to modify to open the Local Area Connection Status window.
Click the Properties button to open the Local Area Connection Properties window.
Click to highlight Internet Protocol (TCP/IP).
Click the Properties button to open the Internet Protocol (TCP/IP) Properties window.
TCP/IP Properties window, IP Address tab
Select Obtain an IP address automatically.
Select Obtain DNS server address automatically.
Click OK to return to the Local Area Connection Properties window.
Click OK to return to the Network Connections window.

Next, I think we need a little information about the network environment.

Name of your ISP (Internet Service Provider).
Make *and* exact model of the broadband modem.
Make *and* exact model and hardware version of the router (if a separate unit).
_Model numbers can usually be obtained from the label on the device._


Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue?
If there are other computers on the same network, are they experiencing the same issue, or do they function normally?


----------



## lhwai70 (Jun 14, 2008)

hi JohnWill,

sorry just now i forget to reset the TCP/IP and WinSock.
after changing back to auto DNS i reset the TCP/IP and Winsock and make the IP Config:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\lhwai>IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : wai
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-11-09-D9-21-C2
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Saturday, February 14, 2009 12:10:02
AM
Lease Expires . . . . . . . . . . : Monday, March 16, 2009 12:10:02 AM

PPP adapter streamyx:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 124.13.194.177
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 124.13.194.177
DNS Servers . . . . . . . . . . . : 202.188.0.133
202.188.1.5

C:\Documents and Settings\lhwai>

ISP: TM Net Streamyx
Modem: Riger DB102 ADSL Modem 2/2+
this modem is provided by provider [package]

i am connecting to this computer now and there no other computer on this network.

thanks


----------



## lhwai70 (Jun 14, 2008)

i can access to other sites in IE7 such as facebook but all windows site are unreachable included others security sites such as AVG and Norton.
it just said: internet explorer cannot display the webpage. no symptoms.

when i run the network diagnostic for windows XP, i saw my local connection on/off and acquiring network address. then the diagnostic said there might problem with my modem but i saw my modem is not blinking.


----------



## JohnWill (Oct 19, 2002)

You can login to places like banking site, but not Microsoft? Can you go to www.microsoft.com?


----------



## lhwai70 (Jun 14, 2008)

Hi JohnWill,
sorry for the late reply.

yes, ican access to banking site. i can't access to www.microsoft.com 
i have 4 administrative account in my computer. i just deleted the cookies only in netscape9 in my neice account.
what should i do for more?

thanks


----------



## JohnWill (Oct 19, 2002)

Let's try with IE7 after resetting it to defaults.

Reset Internet Explorer 7 Settings


----------



## lhwai70 (Jun 14, 2008)

hi JohnWill,

i have reset IE7 and the problem still same. cannot go to any microsoft sites.
??


----------



## JohnWill (Oct 19, 2002)

Can you access www.microsoft.com if you boot into *Safe Mode with Networking*?


----------



## lhwai70 (Jun 14, 2008)

hi JohnWill,

in safe mode i lost my internet connection service [left local area connection]. i try dial-up preference. it say

cannot load the Remote Access Connection Manager Service.
Error 711: A configuration error on this computer is preventing this connection. for further assitance, click more or search Help Support Centre for this error"


----------



## JohnWill (Oct 19, 2002)

Are you connecting with the Ethernet cable to a router here? I see two connections, which one is active?

FWIW, the fact that you can't get to security related sites still seems to suggest malware.

How about posting this.

Hold the *Windows* key and press *R*, then type *CMD* to open a command prompt:

In the command prompt window that opens, type type the following command:

TRACERT google.com

Right click in the command window and choose *Select All*, then hit *Enter* to copy the contents to the clipboard.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.

I'd also like to see this.

*S*tart, *R*un, *NOTEPAD c:\Windows\system32\drivers\etc\HOSTS.*

Select all and copy and paste to a message here.


----------



## lhwai70 (Jun 14, 2008)

hi JohnWill,

i run TRACERT google.com and it closed itself before i can copy it. i run again and write it down.

Tracing route to google.com [209.85.171.100]
1 * * * request time out
2
~
30 same result

the result of NOTEPAD c:\Windows\system32\drivers\etc\HOSTS.
127.0.0.1 localhost


----------



## JohnWill (Oct 19, 2002)

That problem with tracert is a classic sign of a firewall issue.


----------



## lhwai70 (Jun 14, 2008)

should i close my firewall and do it again?


----------



## lhwai70 (Jun 14, 2008)

and yes, i'm connecting with the Ethernet cable to a router here,
and which 2 connection you mean? sorry i don't understand.


----------



## JohnWill (Oct 19, 2002)

I'm referring to this second connection:


> PPP adapter streamyx:
> 
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> ...


Disable ALL firewalls on the machine and try the tests again. Some firewalls have to be uninstalled to totally release their grip.


----------



## lhwai70 (Jun 14, 2008)

Hi JohnWill,

2 connections are the same. i renamed it from Streamyx2 to streamyx

here the result of TRACERT google.com:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\lhwai>TRACERT google.com

Tracing route to google.com [209.85.171.100]
over a maximum of 30 hops:

1 45 ms * 54 ms 219.93.218.177
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

C:\Documents and Settings\lhwai>

*NOTEPAD c:\Windows\system32\drivers\etc\HOSTS.*
127.0.0.1 localhost


----------



## JohnWill (Oct 19, 2002)

That's more than a little curious. You get the very first hop, then everything times out.

I don't see your router represented, and nothing responds to pings at all!

Is there some restriction in your country on www.microsoft.com?


----------



## lhwai70 (Jun 14, 2008)

hi JohnWill,

i have no idea at all.

and no restriction in my country on www.microsoft.com

i can access it on my pc in my office.

my AVG8 antivirus and anti spyware shows that the database is out date since 4th february. but every time i connect to internet it shows that AVG is always download the update data and needs to restart.
why????


----------



## JohnWill (Oct 19, 2002)

I'm at a loss. I'm at the "reformat" state at this point, I don't have any other things I can think of to try.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

Thanks, *John*, for your assistance. Let me take a deeper look.

*lhwai70*, please download *OTScanit2.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanit2* on your desktop. *OTScanit2* can be detected as malware by your firewall and Ativirus. Chose *Ignore* on any warning alert.

Close any open browsers.
Open the *OTScanit2* folder and double-click on *OTScanit2.exe* to start the program.
Leave all settings as they appear as default, except for the following:
Under *Drivers*, select *"All"*.
Under *Rootkit Search*, select *Yes*
Under *additional Scan* select the following:
*
Reg - ControlSets
Reg - Disabled MS Config Items
Reg - File Associations
Reg - Security Center Settings
Reg - Tcpip Persistent Routes
*


Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## lhwai70 (Jun 14, 2008)

hi JsntgRvr,

very happy Techguy never give up helping us 

i have a doubt,
i opened *OTScanit2 *and saw a check box of scan all users. i have 4 administrative user account in my computer. should i select it then perform the scan? or just leave it?

thanks.

and thanks to JohnWill for guiding me too.


----------



## JSntgRvr (Jul 1, 2003)

lhwai70 said:


> hi JsntgRvr,
> 
> very happy Techguy never give up helping us
> 
> ...


Sure. No problems.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i scanned it and here are 2 report:



thanks.


----------



## lhwai70 (Jun 14, 2008)

techguy blocked my attachment.

try again.


----------



## lhwai70 (Jun 14, 2008)

techguy still block my attachment
why??


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

Start *OTScanit2*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type.
YN -> HKEY_LOCAL_MACHINE\: Main\\"Secondary Start Pages" -> Reg Error: Invalid data type.
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type.
YN -> HKEY_CURRENT_USER\: Main\\"SearchDefaultBranded" -> Reg Error: Invalid data type.
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\] > -> 
YN -> HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\: Main\\"SearchDefaultBranded" -> Reg Error: Invalid data type.
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "PPS Accelerator" -> %ProgramFiles%\PPStream\ppsap.exe [C:\Program Files\PPStream\ppsap.exe]
< Run [HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "PPS Accelerator" -> %ProgramFiles%\PPStream\ppsap.exe [C:\Program Files\PPStream\ppsap.exe]
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5338 domain(s) found.
YN -> www_spankwire.com [https] -> Trusted sites
YN -> 121 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5337 domain(s) found.
YN -> 120 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5337 domain(s) found.
YN -> 120 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5337 domain(s) found.
YN -> 120 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5337 domain(s) found.
YN -> 120 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5338 domain(s) found.
YN -> www_spankwire.com [https] -> Trusted sites
YN -> 121 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YN -> C:^Documents and Settings^lhwai^Start Menu^Programs^Startup^PPS.lnk -> %SystemDrive%\PROGRA~1\PPStream\PPStream.exe
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> PPS Accelerator hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\PPStream\ppsap.exe
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new OTScanit scan and a Hijackthis log*.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Please download *gmer.zip* and save to your desktop.

Extract (unzip) the file to its own folder such as C:\Gmer. _(Click here for information on how to do this if not sure.)_
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
Click on *this link* to see a list of programs that should be disabled.
Double-click on *gmer.exe* to start the program.
Allow the gmer.sys driver to load if asked.
You may be prompted to scan immediately if GMER detects rootkit activity.
If you are prompted to scan your system click "*Yes*" to begin the scan.
If not prompted, click the "*Rootkit/Malware*" tab.
On the right-side, all items to be scanned should be checked by default _except_ for "Show All". Leave that box *unchecked*.
Select all drives that are connected to your system to be scanned.
Click the *Scan* button to begin. _(Please be patient as it can take some time to complete)_
When the scan is finished, click *Save* to save the scan results to your Desktop.
Save the file as *gmer.log* and copy/paste the contents in your next reply.
Exit GMER and re-enable all active protection when done.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i fixed it and here are the report:
i try to access to all microsoft website and all known antivirus website such as AVG, Norton, McAfee, Panda, Adaware etc, all can't access to it. other website like banking site, no problem.
yahoo messenger or windows live messenger ok.
i installed spybot. is it some tools in spybot make this thing happen??
because i can access to spybot website.......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:26 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\lhwai\Desktop\OTScanIt2\OTScanIt2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CF32727-8D67-4E04-98CC-415FF3B8C872}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6578 bytes

thanks JSntgRvr.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

sorry i forgotten to paste this result:

Process Explorer.EXE killed successfully!
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Secondary_Page_URL deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Secondary Start Pages deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Secondary_Page_URL deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\SearchDefaultBranded deleted successfully.
Registry key HKEY_USERS\1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PPS Accelerator deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PPS Accelerator not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spankwire.com\www not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ .
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spankwire.com\www not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ not found.
Unable to create registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ .
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^lhwai^Start Menu^Programs^Startup^PPS.lnk\ deleted successfully.
File C:\WINDOWS\pss\PPS.lnk not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PPS Accelerator hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
[Files/Folders - Created Within 30 Days]
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_cc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.8.0 fix logfile created on 02252009_212302
Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_cc.dat not found!
Registry entries deleted on Reboot...


----------



## lhwai70 (Jun 14, 2008)

Hi JsntgRvr,

GMER detected rootkit activity and the scan log:

thanks for your help.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the *RunMe.bat* file. The MSDOS window will be displayed, and after the process has finished, the computer will restart. That is normal.

A Results.txt file will be created in the VFind folder. Open that folder and post back the contents of this file. In addition, a zipped file will also be created on your desktop. Please upload this file to the *Spykiller* forum as follows:

Please go here:
*The Spy Killer Forum*
Click on "New Topic"
Put your name, e-mail address, and this as the title: "*JSntgRvr*"
Put a link to this thread in the description box.
Then next to the file box, at the bottom, click the *browse* button, then navigate to this file:

*The zipped file on your desktop*

Click *Open*.
Click *Post*.

You wont be able to see the upload, but following the above steps the file will be uploaded.

Please run GMER once again and post also its report.


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

i do as you told me but the result.txt is blank.
i posted the catchme.zip to The Spy Killer Forum.
and here is the GMER log:

thanks


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

That was a real nasty.

http://www.virustotal.com/analisis/a8cc165ebbe3e49a510f21f512cff294

Remove the zipped folder from your desktop.

Set Explorer to view Hidden Files and Folders:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Show all Files and Folders
Remove the checkmark from Hide extensions for known file types
Remove the checkmark from Hide protected operating System files
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.
Please go here:

http://www.virustotal.com/

Scan the following file and post the results

C:\Windows\System32\Drivers\ange5evw.SYS

Set Explorer to Defaults:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Restore Defaults
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.

Any improvement on your connection?


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

after i done, i check again my AVG8 problems. the resident shield was gone, antivirus and antispam's database were outdated [since 4th Feb] although there always an update downloaded every time i on my pc. this happen since i disable the resident shield according to your order. i try reinstall it. after i reinstalled the AVG8, i was stuck in the license no. AVG8 need me to enter the free license number. i try my luck log to AVG site and this time i can enter it's site. then i try microsoft update, i can access to it too.

i am working now. after work, i will try to access to other microsoft site.

and also i will continue the thread.

just 1 thing, why this happen??

thanks to you JSntgRVr, you are so kind..


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i am too early to happy. 
i follow your instruction but can't access to virustotal.com
then i try go to microsoft site and the result is "internet explorer cannot display the website"

i try safe mode with networking but i have local connection only.
i set up a new account but it popped out a windows said that cannot find the remote access asistance.

what should i do??


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

Lets run OTScanIt2 again. This time around set it as follows:

Close any open browsers.
Open the *OTScanit2* folder and double-click on *OTScanit2.exe* to start the program.
Leave all settings as they appear as default, except for the following:
File Age, *60 days*
Under *Drivers*, select *"All"*.
Under *Rootkit Search*, select *Yes*
Under *Registry*, select *"All"*.
Under *Services*, All
Under *additional Scan* select the following:
*
Reg - ControlSets
Reg - Disabled MS Config Items
Reg - File Associations
Reg - Security Center Settings
Reg - Tcpip Persistent Routes
Reg - Winsock2 Catalogs
Evnt - EventViewer logs
*


Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Since this may produce a huge log, use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

here are he result of OTScanIt2

thanks....


----------



## JSntgRvr (Jul 1, 2003)

Hi, *lhwai70* 

I need your responses in a more timely fashion. We are giving the malware chances to re-spawn.

Start *OTScanit2*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YY -> svhost.exe -> %SystemRoot%\system\svhost.exe
YY -> sysmgr.exe -> %SystemRoot%\system32\sysmgr.exe
[Win32 Services - All]
YY -> (WindowsTelephony) Windows Telephony [Win32_Own | Auto | Running] -> %SystemRoot%\system\svhost.exe
[Driver Services - All]
YY -> (sysdrv32) Play Port I/O Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sysdrv32.sys
[Registry - All]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Microsoft(R) System Manager" -> %SystemRoot%\system32\sysmgr.exe [C:\WINDOWS\system32\sysmgr.exe]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\WINDOWS\system\svhost.exe" -> C:\WINDOWS\system\svhost.exe [C:\WINDOWS\system\svhost.exe:*:WindowsTelephony]
YY -> "C:\WINDOWS\System32\05.scr" -> C:\WINDOWS\System32\05.scr [C:\WINDOWS\System32\05.scr:*:WindowsTelephony]
YY -> "C:\WINDOWS\System32\06.scr" -> C:\WINDOWS\System32\06.scr [C:\WINDOWS\System32\06.scr:*:WindowsTelephony]
YY -> "C:\WINDOWS\System32\07.scr" -> C:\WINDOWS\System32\07.scr [C:\WINDOWS\System32\07.scr:*:WindowsTelephony]
YY -> "C:\WINDOWS\System32\60.scr" -> C:\WINDOWS\System32\60.scr [C:\WINDOWS\System32\60.scr:*:WindowsTelephony]
YY -> "C:\WINDOWS\System32\62.scr" -> C:\WINDOWS\System32\62.scr [C:\WINDOWS\System32\62.scr:*:WindowsTelephony]
[Files/Folders - Created Within 60 Days]
NY -> 07.scr -> %SystemRoot%\System32\07.scr
NY -> 06.scr -> %SystemRoot%\System32\06.scr
NY -> 62.scr -> %SystemRoot%\System32\62.scr
NY -> 05.scr -> %SystemRoot%\System32\05.scr
NY -> msvcrt2.dll -> %SystemRoot%\System32\msvcrt2.dll
NY -> sysmgr.exe -> %SystemRoot%\System32\sysmgr.exe
NY -> 60.scr -> %SystemRoot%\System32\60.scr
NY -> sysdrv32.sys -> %SystemRoot%\System32\drivers\sysdrv32.sys
NY -> svhost.exe -> %SystemRoot%\System\svhost.exe
[Files/Folders - Modified Within 60 Days]
NY -> 48.exe -> %SystemRoot%\Temp\48.exe
NY -> 47.exe -> %SystemRoot%\Temp\47.exe
NY -> 12.exe -> %SystemRoot%\Temp\12.exe
NY -> 68.exe -> %SystemRoot%\Temp\68.exe
NY -> 07.scr -> %SystemRoot%\System32\07.scr
NY -> 53.exe -> %SystemRoot%\Temp\53.exe
NY -> 06.scr -> %SystemRoot%\System32\06.scr
NY -> 66.exe -> %SystemRoot%\Temp\66.exe
NY -> 62.scr -> %SystemRoot%\System32\62.scr
NY -> 04.exe -> %SystemRoot%\Temp\04.exe
NY -> 05.scr -> %SystemRoot%\System32\05.scr
NY -> 60.exe -> %SystemRoot%\Temp\60.exe
NY -> 60.scr -> %SystemRoot%\System32\60.scr
NY -> sysdrv32.sys -> %SystemRoot%\System32\drivers\sysdrv32.sys
NY -> svhost.exe -> %SystemRoot%\System\svhost.exe
NY -> setup.exe -> %UserProfile%\Local Settings\temp\setup.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new OTScanit and a GMER scans*.

I will review the information when it comes back in.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i am sorry about that, i am working 7 days a week and only can do this thread at nite after work. i will try my best. 

my family members is using this computer, should i ask them to stop using this computer until this thread is done??

here my scan result.

thanks


----------



## lhwai70 (Jun 14, 2008)

p.s.

when i fix with OTScanIT2, it popped this message:

Bad Image
The application or DLL C:\WINDOWS\System32\msvcrt2.dll is not a valid Windows image. Please check this against your installation diskette.


----------



## JSntgRvr (Jul 1, 2003)

lhwai70 said:


> p.s.
> 
> when i fix with OTScanIT2, it popped this message:
> 
> ...


Is that happening after the fix?

Lets try a new version of Combofix: (Remove the old version)

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in our next reply.
Install the *Recovery Console* upon request.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## JSntgRvr (Jul 1, 2003)

In addition, I would like to know the location of a file present in GMER.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted click on the RunMe.bat file and post the resulting report.


----------



## lhwai70 (Jun 14, 2008)

lhwai70 said:


> hi JSntgRvr,
> 
> after i done, i check again my AVG8 problems. the resident shield was gone, antivirus and antispam's database were outdated [since 4th Feb] although there always an update downloaded every time i on my pc. this happen since i disable the resident shield according to your order. i try reinstall it. after i reinstalled the AVG8, i was stuck in the license no. AVG8 need me to enter the free license number.....
> thanks to you JSntgRVr, you are so kind..


i cannot disable AVG8. my AVG8 is atill stuck in the license unreconization. i want to uninstall but errors:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

i don't know how uninstall AVG8 before perform Combofix?


----------



## JSntgRvr (Jul 1, 2003)

Use the *AVG Removal Tool (32bit)* and let me know the outcome.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i am sorry, i cannot access to avg.com 
i will download at my office and bring back to home.


----------



## JSntgRvr (Jul 1, 2003)

:up:


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

after i ran avgremover.exe it asked me to reboot. after reboot, i checked all the AVG8, all empty and seemed removed. but when i run ComboFix, it still warn me about AVG8 is still existing.
i read other AVG8 thread here and downloaded unlocker 1.8.7 but i don't know how to use it. 

what should i do??

although my thread is still in progress, i learned many things here.


----------



## lhwai70 (Jun 14, 2008)

JSntgRvr said:


> In addition, I would like to know the location of a file present in GMER.
> 
> Download the enclosed folder. Save and extract its contents to the desktop. Once extracted click on the RunMe.bat file and post the resulting report.


i run the RunME.bat, my computer reboot while running the RunMe, and the result is blank again.

attach with a avgremover.log


----------



## lhwai70 (Jun 14, 2008)

lhwai70 said:


> p.s.
> 
> when i fix with OTScanIT2, it popped this message:
> 
> ...


it happen in the middle of fixing progress

thanks JSntgRvr


----------



## JSntgRvr (Jul 1, 2003)

After running RunME.bat, you should run Combofix as the trojan will be normant, and post the report.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

here are the result of the search:

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
----a-w 14,336 2004-08-03 22:56:58 C:\Windows\system32\svchost.exe
-c--a-w 14,336 2004-08-03 22:56:58 C:\Windows\system32\dllcache\svchost.exe
Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 28,672 Blocks: 56
Total Entries: 2 (2)
Total Directories: 0 Files: 2
Total Bytes: 28,672 Blocks: 56

and the HJT.log and ComboFix log.txt

thanks. 
​


----------



## JSntgRvr (Jul 1, 2003)

Go to Start -> Run, copy and paste the following command and click OK.

*CMD /C Del /Q C:\Windows\System32\*.TMP*


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
File::
c:\windows\system32\x
c:\windows\system32\13.scr
c:\windows\system32\msvcrt2.dll
c:\windows\system\msile.exe
c:\windows\system32\[u]0[/u]1.tmp
c:\windows\system32\wvtovs.dll

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system\\msile.exe"=-
"c:\\WINDOWS\\System32\\13.scr"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xgbfvsbva]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xycuaao]

Driver::
sysdrv32
msile
xycuaao
xgbfvsbva

NetSvc::
ivenet
xycuaao

Reboot::
```










Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report.


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

i feel a better speed of browsing. but still cannot access to microsoft and certain sites.

here the combofix result:

ComboFix 09-03-04.01 - lhwai 2009-03-05 22:12:31.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.272 [GMT 8:00]
Running from: c:\documents and settings\lhwai\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lhwai\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Outdated)
* Created a new restore point
FILE ::
c:\windows\system\msile.exe
c:\windows\system32\01.tmp
c:\windows\system32\13.scr
c:\windows\system32\msvcrt2.dll
c:\windows\system32\wvtovs.dll
c:\windows\system32\x
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\msile.exe
c:\windows\system32\12362547563208.exe
c:\windows\system32\1236260238184.exe
c:\windows\system32\12362618481688.exe
c:\windows\system32\12362619362672.exe
c:\windows\system32\13.scr
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\msvcrt2.dll
c:\windows\system32\wvtovs.dll
c:\windows\temp\00.exe
c:\windows\temp\13.exe
c:\windows\temp\53.exe
c:\windows\temp\61.exe
c:\windows\temp\74.exe
c:\windows\temp\80.exe
c:\windows\temp\82.exe
c:\windows\temp\83.exe
c:\windows\temp\86.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSILE
-------\Legacy_SYSDRV32
-------\Legacy_XYCUAAO
-------\Service_msile
-------\Service_sysdrv32

((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.
2009-03-05 20:35 . 2009-03-05 20:35 90,112 -rahs---- c:\windows\system32\gjcgj.dll
2009-03-04 23:25 . 2009-03-04 23:26 41,987 --a------ c:\windows\system32\58.scr
2009-03-03 22:18 . 2009-03-04 00:09 d-------- c:\program files\Unlocker
2009-03-03 01:28 . 2009-03-03 01:28 d--h----- c:\windows\PIF
2009-02-25 23:12 . 2009-03-01 23:19 250 --a------ c:\windows\gmer.ini
2009-02-25 21:23 . 2009-02-25 21:23 d-------- C:\_OTScanIt
2009-02-22 17:47 . 2009-02-22 17:47 d-------- c:\documents and settings\my family\Application Data\DivX
2009-02-16 20:06 . 2009-02-16 20:06 d-------- c:\documents and settings\mum\Application Data\Yahoo!
2009-02-16 20:03 . 2009-02-16 20:03 d-------- c:\documents and settings\my sis\Application Data\Netscape
2009-02-16 19:59 . 2009-02-16 19:59 d-------- c:\documents and settings\my sis\Application Data\Yahoo!
2009-02-15 23:12 . 2009-02-15 23:12 d-------- c:\documents and settings\my family\Application Data\Malwarebytes
2009-02-15 22:58 . 2009-02-15 22:58 d-------- c:\documents and settings\my family\Application Data\Yahoo!
2009-02-12 23:56 . 2009-02-12 23:56 d-------- c:\documents and settings\lhwai\Application Data\aAvgApi
2009-02-05 21:47 . 2009-02-05 21:47 d-------- c:\windows\Sun
2009-02-05 21:38 . 2009-02-05 21:38 d-------- c:\program files\Java
2009-02-05 21:38 . 2009-02-05 21:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-05 21:38 . 2009-02-05 21:38 73,728 --a------ c:\windows\system32\javacpl.cpl
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 14:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-03 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 13:27 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-28 09:19 --------- d-----w c:\program files\Real
2009-01-30 16:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-30 16:40 --------- d-----w c:\documents and settings\lhwai\Application Data\Malwarebytes
2009-01-30 16:40 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 16:33 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-28 16:33 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 16:33 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 16:33 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-28 15:47 --------- d-----w c:\program files\Trend Micro
2009-01-18 01:19 --------- d-----w c:\documents and settings\lhwai\Application Data\Yahoo!
2009-01-18 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-18 01:11 --------- d-----w c:\program files\Yahoo!
2009-01-15 19:04 --------- d-----w c:\documents and settings\lhwai\Application Data\ppstream
2009-01-15 18:59 --------- d-----w c:\program files\MSN Messenger
2009-01-14 15:27 --------- d-----w c:\program files\Virtual Earth 3D
2009-01-14 08:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 08:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-27 14:13 594,466 ----a-w c:\windows\system32\Codec Analyzer.zip
2008-12-05 19:02 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-05 19:02 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-12-05 13:33 81,984 ----a-w c:\windows\system32\bdod.bin
.
((((((((((((((((((((((((((((( [email protected]_23.20.08.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-05 14:15:58 16,384 ----atw c:\windows\temp\Perflib_Perfdata_134.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 148888]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=c:\windows\pss\GetRight.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 20:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 04:32 208952 c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2008-12-06 03:02 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:31 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 14:01 13529088 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:32 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-12-06 03:02 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 13:37 35328 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\System32\\58.scr"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"45052:TCP"= 45052:TCP:MicrosoftCalendar FilesPrefetch
"17530:UDP"= 17530:UDP:MicrosoftCalendar GoogleSecurity
"17308:TCP"= 17308:TCP:MicrosoftCalendar Reportstracing
"48575:UDP"= 48575:UDP:MicrosoftCalendar ReportsApp
"63911:TCP"= 63911:TCP:MicrosoftCalendar VisualMovie
"22323:UDP"= 22323:UDP:MicrosoftCalendar CommonUS
"45744:TCP"= 45744:TCP:MicrosoftCalendar GlobalizationKernel
"35883:UDP"= 35883:UDP:MicrosoftCalendar PolicyMicrosoft
"41411:TCP"= 41411:TCP:MicrosoftCalendar GooglePhoto
"7479:UDP"= 7479:UDP:MicrosoftCalendar DocumentsIntel
"56029:TCP"= 56029:TCP:MicrosoftCalendar MailDefinitions
"53318:UDP"= 53318:UDP:MicrosoftCalendar NewDefender
"42135:TCP"= 42135:TCP:MicrosoftCalendar InstallerInter
"27708:UDP"= 27708:UDP:MicrosoftCalendar IMESpeech
"19860:TCP"= 19860:TCP:MicrosoftCalendar ModemLive
"45069:UDP"= 45069:UDP:MicrosoftCalendar CalendarPrefetch
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2008-12-04 48640]
S2 ggvucwug;Power Logon;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GGVUCWUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ggvucwug
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.msn.com.my/
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download with GetRight
IE: E&xport to Microsoft Excel
IE: Open with GetRight Browser
Trusted Zone: avg.com\www
TCP: {5CF32727-8D67-4E04-98CC-415FF3B8C872} = 202.188.0.133 202.188.1.5
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 22:16:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ggvucwug]
"ServiceDll"="c:\windows\system32\gjcgj.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1343024091-1897051121-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-05 22:18:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 14:18:21
ComboFix2.txt 2009-03-04 15:21:21
ComboFix3.txt 2009-02-09 12:31:33
Pre-Run: 29,815,291,904 bytes free
Post-Run: 29,892,980,736 bytes free
230


----------



## JSntgRvr (Jul 1, 2003)

You are being infected as we speak. The frequency of your replies are way apart. That will give the trojan the opportunity to morph and multiply. If this keeps up, I am afraid I wont be able to help you.

Please run the MGA Diagnostic Tool and post back the report it shall produce:

Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

Go to the *Control Panel*. Click on the *JAVA* icon. Under *Temporary Internet Files*, click on *Settings*. Click on *Delete Files*, then Ok, out of the properties window.








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Upgrading Java*:

Download the latest version of *Java SE Runtime Environment (JRE) JRE 6 Update 12*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u12-windows-i586-p.exe* and select "Run as an Administrator.")

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
File::
c:\windows\system32\gjcgj.dll
c:\windows\system32\58.scr

Driver::
ggvucwug

netsvc::
ggvucwug

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ggvucwug]
```










Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a Hijackthis log.

*Before you run the following scan, please backup your personal files.*

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file, then on *Start* and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, chose the *Complete Scan*.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply along with a new *HijackThis log*.


----------



## lhwai70 (Jun 14, 2008)

JSntgRvr said:


> You are being infected as we speak. The frequency of your replies are way apart. That will give the trojan the opportunity to morph and multiply. If this keeps up, I am afraid I wont be able to help you.


i tried my best but i cannot download the MGADiag.exe from my pc this early morning. i need go work and download it in my office. this make the progress slow.
i cannot make it fast unless i have 2nd pc in my home.
i will try solve this.

thanks a lot for helping me so far. 
i won't give up.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i done the MGA Diagnostic Tool and the result as below:

Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-9DPFD-M2PY3-R3F83
Windows Product Key Hash: f55QYGyUpQ6nT1lTgFHgRDGtysg=
Windows Product ID: 55274-640-8935532-23817
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {1C081565-8272-4A05-912D-D827CB69E856}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A
Version: N/A
WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{1C081565-8272-4A05-912D-D827CB69E856}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-R3F83</PKey><PID>55274-640-8935532-23817</PID><PIDType>1</PIDType><SID>S-1-5-21-1343024091-1897051121-839522115</SID><SYSTEM><Manufacturer>MSI</Manufacturer><Model>MS-7021</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>Version 07.00T</Version><SMBIOSVersion major="2" minor="3"/><Date>20010402000000.000000+000</Date></BIOS><HWID>EF37326F01842E5B</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Malay Peninsula Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65159</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults> 
Licensing Data-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
OEM Activation 2.0 Data-->
N/A

with the combofix result attached:
but i am sorry i forget to do a HJT scan after combofix
Sorry...


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,
after i shut down the Drweb_cureit. it popped a warning saying

drweb-cureit.exe - Corrupt file
the file or directory C:\DOCUME~1\lhwai\LOCALS~1\temp\RerSFX0 is corrupt and unreadable. Please run chkdsk utility.

i reboot my pc but hanged on Windows is shutting down.
i reset my pc, chkdsk runs the check on c:\

here the HJT.log after i reset my pc ang the drweb.csv content

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:53 AM, on 3/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228402723062
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CF32727-8D67-4E04-98CC-415FF3B8C872}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5457 bytes

drweb.csv content:

hhx339a.exe;C:\Documents and Settings\lhwai\Application Data\Thinstall\Trojan Remover 6.6.0-DB20070512\%AppData%\Simply Super Software\Troj;Probably DLOADER.Trojan;Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\lhwai\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\lhwai\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\lhwai\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\lhwai\Desktop;Container contains infected objects;Moved.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch;Moved.;
msile.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system;BackDoor.BotSiggen.37;Deleted.;
12362547563208.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.BotSiggen.37;Deleted.;
1236260238184.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.BotSiggen.37;Deleted.;
12362618481688.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.BotSiggen.37;Deleted.;
12362619362672.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.BotSiggen.37;Deleted.;
13.scr.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
58.scr.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
sysmgr.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.BotSiggen.37;Deleted.;
sysdrv32.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Tool.TcpZ;Moved.;
00.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
13.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
16.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.BotSiggen.37;Deleted.;
22.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.BotSiggen.37;Deleted.;
53.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
61.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
74.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
80.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
82.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
83.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
86.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\temp;BackDoor.IRC.Itan;Deleted.;
A0002119.scr;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11;BackDoor.IRC.Itan;Deleted.;
A0002136.bat;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11;Probably BATCH.Virus;Moved.;
A0002152.EXE;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11;Program.PsExec.170;Moved.;
A0002200.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11\A0002200.exe/data002;Probably BATCH.Virus;;
A0002200.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11\A0002200.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11;Archive contains infected objects;;
A0002200.exe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP11;Container contains infected objects;Moved.;
A0001853.exe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;BackDoor.BotSiggen.37;Deleted.;
A0001854.scr;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;BackDoor.IRC.Itan;Deleted.;
A0001855.sys;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;Tool.TcpZ;Moved.;
A0001860.exe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;BackDoor.BotSiggen.37;Deleted.;
A0001861.exe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;BackDoor.BotSiggen.37;Deleted.;
A0001862.exe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;BackDoor.BotSiggen.37;Deleted.;
A0001863.exe;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;BackDoor.BotSiggen.37;Deleted.;
A0001877.bat;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;Probably BATCH.Virus;Moved.;
A0001894.EXE;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP8;Program.PsExec.170;Moved.;
svhost.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system;BackDoor.IRC.Itan;Deleted.;
05.scr;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
06.scr;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
07.scr;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
60.scr;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
62.scr;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32;BackDoor.IRC.Itan;Deleted.;
sysmgr.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32;BackDoor.BotSiggen.37;Deleted.;
sysdrv32.sys;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\system32\drivers;Tool.TcpZ;Moved.;
04.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
12.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
47.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
48.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
53.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
60.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
66.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;
68.exe;C:\_OTScanIt\MovedFiles\03012009_231115\C_WINDOWS\Temp;BackDoor.BotSiggen.37;Deleted.;


----------



## JSntgRvr (Jul 1, 2003)

Go to Start -> All Programs -> Accessories -> System Tools -> Validate Windows.

Let me know the outcome.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

there is no the Validate Windows in System Tools


----------



## JSntgRvr (Jul 1, 2003)

Please go to Start -> Run, copy and paste the following command:

*C:\Windows\System32\oobe\msoobe.exe /A*

Let me know the outcome.


Open Hijackthis
Click on Open the Misc Tools Section
Click "*Open Uninstall Manager*"
Click "Save List" (generates *uninstall_list.txt*)
Click Save, and attach the results in your next post.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

good morning  [me here is 10.46pm]

i run the *C:\Windows\System32\oobe\msoobe.exe /A*
it said the windows pruduct activation already activated. click next ot exit.

HJT uninstall_list attached.

u are right, this morning i can access to microsoft and AVG web site.
but now i cannot access again. i had give the trojan the opportunity to morph and multiply.

sigh...


----------



## JSntgRvr (Jul 1, 2003)

Please remove *K-Lite Codec Pack 4.3.4 (Full)* as it relates to a P2P site, which in turn is a place for infection.

Clear something for me. *When and how you got this system?* There are only 2 updates present. The lack of updates suggests an illegal or crack copy of windows, and that could be the source of your problems.


----------



## lhwai70 (Jun 14, 2008)

Hi JSngRvr,

i had remove the k-Lite.

do you mean the windows system in my pc?
it came along with this pc i bought about a year ago. bought 2nd hand from my friend, a computer dealer.
only starting online about 2-3 monhs ago.

JSntgRvr, teach me how can i comfirm the legitimate of this system??


----------



## JSntgRvr (Jul 1, 2003)

Lets attempt to run the following tools. Once you are able to access Microsoft, go directly to Windows updates and download all available updates.

First, run Dr Web CureIt and save the report. Then download a fresh copy of Combofix and run it. Post the resulting reports.

While doing so, once you have ran these tools, attempt to access Microsoft Windows Updates and follow the prompts.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

sorry for the late reply.

i had run drweb last 4 days, after reboot, i cannot access to internet, cannot set a new connection account, cannot open internet explorer, firewall, system restore, even the recovery console disappear on reboot. no sounds no connectivity.

2 wierd things,
i saw remote assistance is checked and a cdrom drive that does not exist is trying to reinstall but i denied it.

DrWeb scan report:

wvtovs.dll;c:\windows\system32;Win32.HLLW.Shadow.based;Deleted.;
wvfvstu[1].jpg;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WPHCYDPK;Win32.HLLW.Shadow.based;Deleted.;
A0000116.dll;C:\System Volume Information\_restore{D3E21C42-24AD-4819-A606-CE0D6F81242E}\RP1;Win32.HLLW.Shadow.based;Deleted.;


----------



## JSntgRvr (Jul 1, 2003)

The main problem is that the system is not authenticating, thus is open to infection. Your best option will be to reformat and reinstall. Windows must be validated and all updates applied. Without doing so, the system will crash very soon.

My suggestion is to Backup your personal files, reformat and reinstall. Is the only way.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

thanks for helping me all the time.
i will reformat it.
just feel....Grrrrr we cannot kill the naughty virus..!
haha...
by the way, i am very happy being with you.
thanks JSntgRvr.

should i mark solved or close this thread?


----------



## JSntgRvr (Jul 1, 2003)

Keep me posted. I will keep the Topic open for five days.


----------



## lhwai70 (Jun 14, 2008)

hi JSntgRvr,

my dealer had reformat my C:\ and upgraded to SP3. i ask for the disk but he told me this is OEM version no disk.but i really doubt about this.


----------



## JSntgRvr (Jul 1, 2003)

lhwai70 said:


> hi JSntgRvr,
> 
> my dealer had reformat my C:\ and upgraded to SP3. i ask for the disk but he told me this is OEM version no disk.but i really doubt about this.


I doubt it too. If you buy a computer you must be given a Windows XP CD and the Activation Key as it is your license to use Windows. If he does not provide you with that, he must be in the business of selling cracked software, which is illegal.


----------



## lhwai70 (Jun 14, 2008)

Hi JSntgRvr,

i found this site about OEM and Retail version

http://www.infocellar.com/winxp/oem-recover-retail.htm

i still doubt about my version and feel it is a pirate version. 
i want to buy a new Windows XP to install it in my PC.
feel safe.


----------



## JSntgRvr (Jul 1, 2003)

I am sure you will be able to locate a retail version of Windows XP Pro for $90 to $130 in the internet, new and sealed. It is a must to receive support anywhere.


----------



## lhwai70 (Jun 14, 2008)

yup, it is better i have a version that i can get support.
nowadays too many viruses.
my computer in office maybe got infected too, very slow


----------

