World Antispy present in my PC! Help!!

Question

faery 0 Newbie Poster

18 Years Ago

Hi there, I have a serious problem. I think I have several spyware and an especially malicious one that refused to go away and is activated when I log onto the internet. Please help! Tried running my 3 anti-spyware software millions of times, but they keep detecting the same few spywares (WWWcoolsearch, Homesearch, something of this sort) and the fake antispy program. I scanned my computer using Hijackthis is below is the log. Please HELP!!

Logfile of HijackThis v1.99.1
Scan saved at 12:05:07 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\winoc.exe
C:\WINDOWS\system32\ipyq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.smuconnect.edu.sg/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\diapt.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {6CAFD07F-ACFD-6954-5F24-9032D1744E5E} - C:\WINDOWS\system32\nthr.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\3A.tmp" /m
O4 - HKLM\..\Run: [ntkk.exe] C:\WINDOWS\ntkk.exe
O4 - HKLM\..\Run: [javauw.exe] C:\WINDOWS\javauw.exe
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe
O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA85A9A6-2350-4DF3-BA37-E15A4F5A0CC6}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you!!!

Cheers,
faery

windows-virus

2 Contributors
20 Replies
700 Views
3 Weeks Discussion Span
Latest Post 18 Years Ago Latest Post by swatkat

All 20 Replies

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Download SpSeHjfix save it to the Desktop, and then right-click in a blank area of Desktop, select New > Folder, and name it spfix, unzip the file into that folder.

Download CWShredder.

Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Run SpSeHjfix, click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Note: if it doesn't find any of the SE files or any hidden reinstallers, it will say System clean and not go on to next stage.

Run CWShredder and click "Fix ->" and allow it to complete the scan.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Complete System Scan" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

After these steps, reboot the PC, and post a fresh HijackThis log and also post the SpSeHjFix log that was created earlier.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Please run CWShredder and Ewido, if you have not run it already! After this, post a new HijackThis log.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,

Download CleanUp! and install it. Do not run it now!

Open a new file in NotePad, and copy the contents of the below mentioned "Quote" box to NotePad:-

cd %windir%
cd system32
attrib -s -r -h apigz32.exe
del apigz32.exe
attrib -s -r -h sysma32.exe
del sysma32.exe

Go to File Menu (in NotePad) > Save As and type the filename as Test.BAT and save the file. Exit from NotePad.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\3A.tmp" /m
O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Double-click on the Test.bat file that was created earlier. A DOS type window should open and close immediately.

Run CleanUp! and click "Options.." button. Here move the "Quick Setup" slider to "Thorough Cleanup" position. Uncheck the option "Delete Favorites Palces/Bookmarks", if you have any bookmarks. Click "OK" to return to main window, and click "CleanUp!" to start cleaning. After it completes, click "Close" and click "No" to avoid logging off.

Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log.

Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Right-click on the below provided link and click "Save As" (or "Save Target As") and save the file with default filename.
http://www.spywareinfo.com/downloads/tools/IEFIX.reg
There should be a file called IEFix.reg.

Open a new file in NotePad, and copy the contents of the below mentioned "Quote" box:-

cd %windir%
cd SYSTEM32
attrib -s -r -h oleext.dll
del oleext.dll

Go to File Menu (in NotePad) > Save As and type the filename as Test.BAT and save the file. Exit from NotePad.

Run HijackThis, and select this entry:-
R3 - Default URLSearchHook is missing
Close all other programs and click "Fix Checked".

Double-click on the Test.bat file, a DOS type window should open and close by itself.

Double-click on IEFix.reg and click "Yes" to merge it with Registry.

Restart the PC. Perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan, and please post back the same.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Open a new file in NotePad, and copy the contents of the below mentioned "Quote" box:-

cd %windir%
attrib -s -r -h mfctg.exe
del mfctg.exe
attrib -s -r -h netry32.exe
del netry32.exe
attrib -s -r -h sdkmt32.exe
del sdkmt32.exe
attrib -s -r -h sysyj32.exe
del sysyj32.exe
attrib -s -r -h winoe.exe
del winoe.exe

Go to File Menu (in NotePad) > Save As and type the filename as Test2.BAT and save the file. Exit from NotePad.

Boot in Safe Mode. Double-click on this file, a DOS type window should open and close by itself. This will delete those "bad" files.

Apart from this, the HijackThis log looks clean :) Do you experience any problems with the PC?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

faery 0 Newbie Poster · Answer 1 · 2005-09-17T07:07:17+00:00

Hi,

I am so sorry to trouble, but the SpSeHjfix could not be run. They'll be a grey box popping up, saying "SpSeHjfix112.exe has encountered a problem and needs to close. We are sorry for the inconvenience", and asked if I would want to send an error report. hmm.... What should I do? I have done the updates for Ewido already.

faery 0 Newbie Poster · Answer 2 · 2005-09-17T16:55:31+00:00

Hi, I tried running SpSeHjfix again, it didn't reboot nor did it any 'system clean' notice. I ran it twice and here's what I got:

(9/17/05 6:37:56 PM) SPSeHjFix started v1.1.2
(9/17/05 6:37:56 PM) OS: WinXP Service Pack 2 (5.1.2600)
(9/17/05 6:37:56 PM) Language: english
(9/17/05 6:37:56 PM) Win-Path: C:\WINDOWS
(9/17/05 6:37:56 PM) System-Path: C:\WINDOWS\system32
(9/17/05 6:37:56 PM) Temp-Path: C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\
(9/17/05 6:38:01 PM) Disinfection started
(9/17/05 6:38:01 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:38:01 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:01 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:01 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\diapt.dll/sp.html#17702
(9/17/05 6:38:01 PM) Stealth-String not found
(9/17/05 6:38:01 PM) No locked Files to delete. End without Reboot
(9/17/05 6:38:31 PM) Disinfection started
(9/17/05 6:38:31 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:38:31 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:31 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:31 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\diapt.dll/sp.html#17702
(9/17/05 6:38:31 PM) Stealth-String not found
(9/17/05 6:38:31 PM) No locked Files to delete. End without Reboot
(9/17/05 6:38:48 PM) Disinfection started
(9/17/05 6:38:48 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:38:48

and this is the second:
(9/17/05 6:37:56 PM) SPSeHjFix started v1.1.2
(9/17/05 6:37:56 PM) OS: WinXP Service Pack 2 (5.1.2600)
(9/17/05 6:37:56 PM) Language: english
(9/17/05 6:37:56 PM) Win-Path: C:\WINDOWS
(9/17/05 6:37:56 PM) System-Path: C:\WINDOWS\system32
(9/17/05 6:37:56 PM) Temp-Path: C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\
(9/17/05 6:38:01 PM) Disinfection started
(9/17/05 6:38:01 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:38:01 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:01 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:01 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\diapt.dll/sp.html#17702
(9/17/05 6:38:01 PM) Stealth-String not found
(9/17/05 6:38:01 PM) No locked Files to delete. End without Reboot
(9/17/05 6:38:31 PM) Disinfection started
(9/17/05 6:38:31 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:38:31 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:31 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:31 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\diapt.dll/sp.html#17702
(9/17/05 6:38:31 PM) Stealth-String not found
(9/17/05 6:38:31 PM) No locked Files to delete. End without Reboot
(9/17/05 6:38:48 PM) Disinfection started
(9/17/05 6:38:48 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:38:48 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:48 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:38:48 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\diapt.dll/sp.html#17702
(9/17/05 6:38:48 PM) Stealth-String not found
(9/17/05 6:38:48 PM) No locked Files to delete. End without Reboot
(9/17/05 6:39:20 PM) Disinfection started
(9/17/05 6:39:20 PM) Bad-Dll(IEP): c:\windows\diapt.dll
(9/17/05 6:39:20 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:39:20 PM) UBF: 8 - UBB: 2 - UBR: 21
(9/17/05 6:39:20 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\diapt.dll/sp.html#17702
(9/17/05 6:39:20 PM) Stealth-String not found
(9/17/05 6:39:20 PM) No locked Files to delete. End without Reboot

Please advise!!

faery 0 Newbie Poster · Answer 3 · 2005-09-18T10:37:48+00:00

Hi, this is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:59 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.smuconnect.edu.sg/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\3A.tmp" /m
O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA85A9A6-2350-4DF3-BA37-E15A4F5A0CC6}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

My computer is alittle cranky now... touchpad is not functioning normally... Sigh...
Thanks for replying.. Really appreciate your help =)

Regards,
faery

faery 0 Newbie Poster · Answer 4 · 2005-09-19T08:00:41+00:00

Hi!

This is my newest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:45:13 AM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]https://www.smuconnect.edu.sg/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - [url]http://www.can.com.sg/mwf/mgaxctrl.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127025692686[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA85A9A6-2350-4DF3-BA37-E15A4F5A0CC6}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And this is the WinPFind log:

»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic             9/19/2005 9:47:10 AM        201557     C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2                 8/4/2004 8:00:00 PM         41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                8/3/2005 10:33:42 AM        520456     C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2           9/9/2005 11:08:28 AM        1997664    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               9/9/2005 11:08:28 AM        1997664    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 8:00:00 PM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll
UPX!                 8/4/2004 8:00:00 PM         16384      C:\WINDOWS\SYSTEM32\oleext.dll
Umonitor             8/4/2004 8:00:00 PM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/4/2004 8:00:00 PM         1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech                8/3/2004 10:41:38 PM        1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     9/19/2005 9:41:06 AM      S 2048       C:\WINDOWS\bootstat.dat
                     9/1/2005 2:58:56 PM     RH  749        C:\WINDOWS\WindowsShell.Manifest
                     8/17/2005 4:22:14 PM     HS 48680      C:\WINDOWS\winnt256.bmp
                     9/1/2005 4:48:40 PM     RHS 227        C:\WINDOWS\assembly\Desktop.ini
                     9/19/2005 9:41:08 AM      S 64         C:\WINDOWS\CSC\00000001
                     9/1/2005 3:52:50 PM       S 64         C:\WINDOWS\CSC\00000002
                     9/1/2005 2:59:10 PM      H  65         C:\WINDOWS\Downloaded Program Files\desktop.ini
                     9/1/2005 3:00:44 PM      HS 67         C:\WINDOWS\Fonts\desktop.ini
                     8/18/2005 9:57:30 AM     H  0          C:\WINDOWS\inf\oem36.inf
                     8/18/2005 9:59:24 AM     H  0          C:\WINDOWS\inf\oem37.inf
                     9/1/2005 2:59:10 PM      H  65         C:\WINDOWS\Offline Web Pages\desktop.ini
                     8/18/2005 10:07:06 AM   RHS 286777     C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_6.cab
                     9/1/2005 3:00:04 PM     RHS 727        C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_7.cab
                     9/1/2005 3:00:04 PM     RHS 19854      C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_8.cab
                     9/1/2005 3:00:04 PM     RHS 244933     C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_9.cab
                     9/1/2005 3:01:58 PM      H  270336     C:\WINDOWS\repair\ntuser.dat
                     9/1/2005 2:58:56 PM     RH  749        C:\WINDOWS\system32\cdplayer.exe.manifest
                     9/1/2005 2:59:10 PM     RH  488        C:\WINDOWS\system32\logonui.exe.manifest
                     9/1/2005 2:58:56 PM     RH  749        C:\WINDOWS\system32\ncpa.cpl.manifest
                     9/1/2005 2:58:56 PM     RH  749        C:\WINDOWS\system32\nwc.cpl.manifest
                     9/1/2005 2:58:56 PM     RH  749        C:\WINDOWS\system32\sapi.cpl.manifest
                     9/1/2005 2:59:10 PM     RH  488        C:\WINDOWS\system32\WindowsLogon.manifest
                     9/1/2005 2:58:56 PM     RH  749        C:\WINDOWS\system32\wuaucpl.cpl.manifest
                     9/19/2005 9:43:46 AM     H  1024       C:\WINDOWS\system32\config\DEFAULT.LOG
                     9/19/2005 9:41:04 AM     H  8192       C:\WINDOWS\system32\config\SAM.LOG
                     9/19/2005 9:43:46 AM     H  1024       C:\WINDOWS\system32\config\SECURITY.LOG
                     9/19/2005 9:48:36 AM     H  1024       C:\WINDOWS\system32\config\SOFTWARE.LOG
                     9/19/2005 9:45:46 AM     H  1024       C:\WINDOWS\system32\config\SYSTEM.LOG
                     9/1/2005 10:21:48 PM     H  1024       C:\WINDOWS\system32\config\userdiff.LOG
                     9/1/2005 3:02:06 PM      H  1024       C:\WINDOWS\system32\config\userdifr.LOG
                     9/18/2005 3:38:16 PM     H  1024       C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
                     8/18/2005 2:26:26 PM      S 14760      C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\6C68A73125F3238F044A8115D96841B6
                     9/4/2005 8:59:20 PM       S 558        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
                     8/18/2005 2:26:26 PM      S 132        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\6C68A73125F3238F044A8115D96841B6
                     9/4/2005 8:59:20 PM       S 144        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
                     8/18/2005 9:33:38 AM     H  262144     C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
                     8/18/2005 9:33:38 AM     H  1024       C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
                     8/18/2005 9:38:28 AM    RH  0          C:\WINDOWS\system32\drivers\Sony_PCG-TR3(I)_.mrk
                     9/1/2005 3:27:18 PM      H  81         C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini
                     8/18/2005 9:36:12 AM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2569bdc1-2c8a-448b-8ce0-ef0687fc1943
                     8/17/2005 11:28:22 PM    HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2708f29e-6152-4b1e-84e3-3f794c47af8c
                     8/18/2005 9:36:12 AM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\73b08fc1-e052-4150-bb70-e012ba356139
                     8/17/2005 11:28:22 PM    HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
                     9/19/2005 9:41:08 AM     H  6          C:\WINDOWS\Tasks\SA.DAT
                     8/18/2005 9:37:24 AM     HS 113        C:\WINDOWS\Temp\History\History.IE5\desktop.ini
                     8/18/2005 9:37:24 AM     HS 67         C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
                     8/18/2005 9:37:24 AM     HS 67         C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0XMH07AV\desktop.ini
                     8/18/2005 9:37:24 AM     HS 67         C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MXCXCZ2J\desktop.ini
                     8/18/2005 9:37:24 AM     HS 67         C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OLMNGP27\desktop.ini
                     8/18/2005 9:37:24 AM     HS 67         C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Q5C1KLQP\desktop.ini

Checking for CPL files...
Microsoft Corporation          8/4/2004 12:56:58 AM        68608      C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation              3/11/2003 9:18:48 AM        94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               8/20/2003 9:23:34 AM        61547      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         36864      C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Sony Corporation               8/7/2002 9:00:00 AM         53248      C:\WINDOWS\SYSTEM32\SNSetup.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        68608      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         549888     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         135168     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         80384      C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         155136     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         358400     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         129536     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         68608      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         618496     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         25600      C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         257024     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         36864      C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         32768      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         114688     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        155648     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         298496     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         94208      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation          8/4/2004 8:00:00 PM         148480     C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     9/1/2005 4:59:10 PM         1757       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
                     9/1/2005 3:01:42 PM      HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
                     12/16/2003 10:41:14 AM      629        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
                     9/4/2005 4:06:08 PM         1658       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SMU VPN Client.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     9/1/2005 2:44:16 PM      HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini
                     9/10/2005 10:46:14 AM       1767       C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
                     9/1/2005 3:01:42 PM      HS 84         C:\Documents and Settings\shuhui.lee.2002\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
                     9/1/2005 2:44:14 PM      HS 62         C:\Documents and Settings\shuhui.lee.2002\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1  = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
     = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText   = Research : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText   = Messenger    : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
     = 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    IgfxTray    C:\WINDOWS\system32\igfxtray.exe
    Mouse Suite 98 Daemon   ICO.EXE
    HKSERV.EXE  C:\Program Files\Sony\HotKey Utility\HKserv.exe
    ezShieldProtector for Px    C:\WINDOWS\System32\ezSP_Px.exe
    SpeedTouch USB Diagnostics  "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    KernelFaultCheck    %systemroot%\system32\dumprep 0 -k
    IMJPMIG8.1  "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    MSPY2002    C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    PHIME2002ASync  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    gcasServ    "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    iTunesHelper    "C:\Program Files\iTunes\iTunesHelper.exe"
    Apoint  C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    areslite    "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
    ctfmon.exe  C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
     = igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
     = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»» Scan complete »»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/19/2005 9:55:42 AM

Thank you!
faery :cheesy:

faery 0 Newbie Poster · Answer 5 · 2005-09-20T08:30:54+00:00

Hi, I didn't get to the screen whereby i can enable the "Disinfection" option. Ran the online scan checking only my Local Disks and not My Computer.

Here is the log:

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfctg.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netry32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkmt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysyj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winoe.exe

And this is my Hijackthis log: (in case you might need it)

Logfile of HijackThis v1.99.1
Scan saved at 10:30:25 AM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.smuconnect.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127025692686
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA85A9A6-2350-4DF3-BA37-E15A4F5A0CC6}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Regards,
faery

faery 0 Newbie Poster · Answer 6 · 2005-09-22T12:21:16+00:00

Hmm, the World Antispy program doesn't pop up when I log on the net now, but its still under my list of programs under "Add or remove program" in Control Panel. And when I try to uninstall it, it will direct me to a website which will instruct me to click on a hyperlink to uninstall. Didn't click for fear that I might let more spywares in. Sigh... Besides that, when I do my scans, a couple of neglible programs and stuffs will be detected. =( I also realise that when I surf the net the connection speed is slower now... Will there be any hidden spywares??

Cheers,
faery

P.S.: Thanks for your help!!! =)

swatkat 14 Practically a Master Poster · Answer 7 · 2005-09-23T00:40:39+00:00

Hi,
The entry in the "Add/Remove Programs" can be removed using RegCleaner. Run it, and click the "Uninstall Menu" tab in the main window. Here select the "World AntiSpy" entry from the list, and click "Remove Selected" button to remove it from the list.

To free up disk space, you can delete the "old" System Restore points except the latest one. This page show how to do it.

Performance of the system can be increased by performing Disk Defragmenter. This is available in Start > All Prgrams > Accessories > System Tools > Disk Defragmenter. Defrag all the hard disk partitions.

Try using alternate browsers like Opera or FireFox, which are much safer and feature rich than IE.

To make sure that there are no viruses/spyware lurking in the PC, you can perform online virus scan at TrendMicro HouseCall and an online spyware scan at TrendMicro Spyware Scan.

faery 0 Newbie Poster · Answer 8 · 2005-09-24T22:14:32+00:00

Hi,

Really thank you alot for the help you've provided =) Ran occassional checks using my Spybot Search n Destroy and Lavasoft, and they still find other spywares. How can I ensure max protection when I log onto the net?

Cheers,
faery

swatkat 14 Practically a Master Poster · Answer 9 · 2005-09-25T00:28:46+00:00

Hi,
Can you tell the names of the threats detected by AdAware and SpyBot? Running TrendMicro SpywareScan would help a lot to detect and remove spyware/adware, if there are any.

faery 0 Newbie Poster · Answer 10 · 2005-10-03T08:24:50+00:00

Hi there,

I ran a HijackThis scan and found that the sysma32.exe and apigz32.exe are still present. What shlould I do?! My spybot check will detect 'ShopAtHome' and 'CoolSearch', something of this sort.

Logfile of HijackThis v1.99.1
Scan saved at 10:04:41 AM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\userinit.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.smuconnect.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\3A.tmp" /m
O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127025692686
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Regards,
faery

swatkat 14 Practically a Master Poster · Answer 11 · 2005-10-03T23:48:12+00:00

Hi,
There may be some hidden files of this malware. Please run an online scan at Ewido Online Scanner. Click on the "Start Scanner" button to start the scan and follow the on-screen instructions.

After this, restart the system and please post a fresh HijackThis log.

faery 0 Newbie Poster · Answer 12 · 2005-10-05T10:37:26+00:00

Hi there again,

The following is my log. As you can see, the sysma32 and apigz are found again after I fixed them the previous scan. Sigh...

Logfile of HijackThis v1.99.1
Scan saved at 12:26:55 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://search.msn.com/spbasic.htm[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]https://www.smuconnect.edu.sg/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://home.microsoft.com/access/autosearch.asp?p=%s[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\3A.tmp" /m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - [url]http://download.ewido.net/ewidoOnlineScan.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://www.bitdefender.com/scan8/oscan8.cab[/url]
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - [url]http://www.can.com.sg/mwf/mgaxctrl.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127025692686[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA85A9A6-2350-4DF3-BA37-E15A4F5A0CC6}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And here is the ewido scan report. Thought you might wanna have a look on what's been detected.

__________________________________________________
ewido security suite online scanner
    [url]http://www.ewido.net[/url]
__________________________________________________


Name: Spyware.Cookie.Com
Path: C:\Documents and Settings\shuhui.lee.2002\Cookies\shuhui.lee.2002@com[2].txt
Risk: Medium

Name: Spyware.Cookie.Ivwbox
Path: C:\Documents and Settings\shuhui.lee.2002\Cookies\shuhui.lee.2002@ivwbox[1].txt
Risk: Medium

Name: Spyware.Cookie.Adjuggler
Path: C:\Documents and Settings\shuhui.lee.2002\Cookies\shuhui.lee.2002@rotator.adjuggler[2].txt
Risk: Medium

Name: Spyware.Cookie.Liveperson
Path: C:\Documents and Settings\shuhui.lee.2002\Cookies\shuhui.lee.2002@server.iad.liveperson[1].txt
Risk: Medium

Name: Spyware.Cookie.Myaffiliateprogram
Path: C:\Documents and Settings\shuhui.lee.2002\Cookies\shuhui.lee.2002@www.myaffiliateprogram[1].txt
Risk: Medium

Cheers,
faery

swatkat 14 Practically a Master Poster · Answer 13 · 2005-10-06T01:07:37+00:00

Hi,
Download CleanUp! and install it. Do not run it now. Download KillBox.Zip and extract it to a folder.

Boot in Safe Mode.

Double-click on KillBox.exe and select the options Standard file kill and End explorer shell while killing file.

Next, copy the below mentioned complete filename and paste it in the "Full path of the file to delete" textbox in KillBox:-

C:\WINDOWS\system32\apigz32.exe

Next, press the button which has a "white cross on a red background" to delete the file.

Once you delete the above file, copy this filename and paste it in KillBox:-

C:\WINDOWS\system32\sysma32.exe

Press the "white cross on red circle" button to delete the file.

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp\3A.tmp" /m

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Go to Start > Run and then copy the below path to Run dialog box:-

C:\DOCUME~1\SHUHUI~1.200\LOCALS~1\Temp

Next, press Enter key. This will open the "Temp" folder inside the user's folder. Here, go to Edit Menu > Select All. Next, after selecting all items, press Delete key.

Run CleanUp! and click "Options" button. Here move the "Quick setup" slider to "Thorough" position. Next, if you have any bookmarks, uncheck the option "Delete the Favorite Places/Bookmarks" and then click "OK" to exit from Options window. Now, click "CleanUp!" to start cleaning. After it completes, click "Close" and choose "No" to avoid logging off.

Reboot the PC, and please post a fresh HijackThis log.

faery 0 Newbie Poster · Answer 14 · 2005-10-08T11:16:17+00:00

Hi,

I was unable to use KillBox to delete the 2 files. It said that the files are not found. So i just moved on to remove them and NAVNet at HijackThis, and then ran the CleanUp!. My HijackThis log still show that the 2 files, sysma32 and apigz32 are still present.

Logfile of HijackThis v1.99.1
Scan saved at 1:07:00 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.smuconnect.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\Run: [sysma32.exe] C:\WINDOWS\system32\sysma32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127025692686
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

A window from my Spybot Search & Destroy popped up asking if I would want to allow a change. I think the old data was NAVnet and there wasn't any new data, the action was to delete value. So i just allowed it. Hmmm, don't know what's going on..... :eek:

swatkat 14 Practically a Master Poster · Answer 15 · 2005-10-09T18:46:05+00:00

Hi,
It is possible that Microsoft AntiSpyware and Spybot TeaTimer blocking the changes made to Registry by HijackThis. Please disable the background scanners of SpyBot SnD and Microsoft AntiSpyware and then remove those two entries in HijackThis.

Also, open a new file in NotePad and copy the contents inside the "Quote" box:-

cd %windir%
cd system32
dir /ah apigz32.exe > test1.txt
dir /ah sysma32.exe > test2.txt
copy test1.txt + test2.txt = c:\info.txt
del test1.txt
del test2.txt

Go to File Menu (NotePad) > Save As and type the filename as Chk.bat and save the file. Exit from NotePad.

Double-click on this file, a DOS type window should open and close by itself. After this there will be a file called Info.txt in C:\ drive. Open this file, and please post its contents.

Also, download MWAV and run it. Select the "Startup folders", "Registry", "Memory", "Drive --> All local drives", "System folders", "Services" options. After this, select "Scan all files" and click "Scan". Please post the MWAV log file after the scan alogn with HijackThis log and contents of Info.txt file.

World Antispy present in my PC! Help!!

Recommended Answers Collapse Answers

All 20 Replies

Recommended Answers