0

Hello~

I found here because I am looking for something to rescue my poor computer. Once I open an IE window, some AD websites keep showing up automatically. I used McAfee to scan my computer. Some infected files have been cleaned, but some couldn't. It showed that my computer was attacked by Trojan and Adware. Any help would be appreciated! Thank you so much. :cry:


Logfile of HijackThis v1.99.1
Scan saved at 12:32:33 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\DreyeSrv\Service\DrSvPush.exe
C:\Program Files\DreyeSrv\Service\Download.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\fihmspkd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\npba\otcl.exe
C:\Program Files\Common Files\M?crosoft\r?gedit.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {4B696C0A-D495-D164-C805-A998CE14F8E8} - C:\WINDOWS\system32\ezvqjos.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsd316.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B696C0A-D495-D164-C805-A998CE14F8E8} - C:\WINDOWS\system32\ezvqjos.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsj5.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [YDTMain.exe] C:\PROGRA~1\YDT\YDTMain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinkrag.exe FI002
O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\system32\ehczrw312.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Ttos] "C:\Program Files\npba\otcl.exe" -vt yazb
O4 - HKCU\..\Run: [Lesh] C:\Program Files\Common Files\M?crosoft\r?gedit.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinkrag.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert for CLI - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111033647886
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll
O23 - Service: Dreye Enterprise Service - Unknown owner - C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

4
Contributors
19
Replies
20
Views
11 Years
Discussion Span
Last Post by DMR
0

Hi, and welcome, have HJT fix the following, but please do it in safe mode. - Inof on how ot boot into safe mode here - http://www.pchell.com/support/safemode.shtml

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsd316.dll

O2 - BHO: (no name) - {4B696C0A-D495-D164-C805-A998CE14F8E8} - C:\WINDOWS\system32\ezvqjos.dll

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsj5.dll

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messeng...nger.yahoo.com/ (file missing)

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

Boot back into Normal Mode

Then Download ewido - http://www.ewido.net/en/, Run it and post the log. Then post a new HJT log

0

Hi Tayspen,

Thank you for your reply!
I have followed your instructions. Here are the logs you required.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           4:10:37 PM, 2/26/2006
+ Report-Checksum:      56614E81


+ Scan result:


HKLM\SOFTWARE\ClickSpring -> Adware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Netstat -> Adware.Ezula : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\3721 -> Adware.CnsMin : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\3721\CnsMin -> Adware.CnsMin : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\3721\CnsMin\Variant -> Adware.CnsMin : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04844102-FC0B-4F44-9E93-0C4293BB5E80} -> Hijacker.Generic : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1123561945-764733703-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@247realmedia[1].txt[/email] -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@adopt.specificclick[1].txt[/email] -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@adrevolver[1].txt[/email] -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ads.addynamix[2].txt[/email] -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ads.pointroll[1].txt[/email] -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ads.realcastmedia[2].txt[/email] -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@adtech[2].txt[/email] -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@advertising[1].txt[/email] -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@americanexpress.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@anat.tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@as-us.falkag[2].txt[/email] -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@as1.falkag[2].txt[/email] -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@bfast[2].txt[/email] -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@bluestreak[2].txt[/email] -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@bs.serving-sys[1].txt[/email] -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@burstnet[1].txt[/email] -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@buycom.122.2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@c5.zedo[1].txt[/email] -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@casalemedia[1].txt[/email] -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@centrport[2].txt[/email] -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@citi.bridgetrack[1].txt[/email] -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@click2begin[1].txt[/email] -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@clickagents[1].txt[/email] -> TrackingCookie.Clickagents : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@cnetasiapacific.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@cnn.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@commission-junction[2].txt[/email] -> TrackingCookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@com[2].txt[/email] -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@counter.hitslink[2].txt[/email] -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@counter2.hitslink[2].txt[/email] -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@cpvfeed[1].txt[/email] -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@cz8.clickzs[2].txt[/email] -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@data.coremetrics[1].txt[/email] -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@doubleclick[2].txt[/email] -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@e-2dj6wjk4enazskp.stats.esomniture[2].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@e-2dj6wjnyejcpogp.stats.esomniture[1].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@e-2dj6wjnyencpklo.stats.esomniture[2].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@edge.ru4[2].txt[/email] -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-aha.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-attcorp.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-bestbuy.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-cafepress.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-dig.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-fxcm.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-hollywood.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-intellsync.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-invitrogen.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-jaygroup.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-knightridder.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-kodak.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-lambesisagency.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-lhw.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-lionsgate.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-mastercard.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-mybc.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-nestleusainc.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-nokiafin.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-pharmacia.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-quikbook.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-randomhouse.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-studentuniverse.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg-warnerbrothers.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ehg.hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@epilot[1].txt[/email] -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@esads.valuead[2].txt[/email] -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@fastclick[1].txt[/email] -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@findwhat[1].txt[/email] -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@hitbox[2].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@hotlog[1].txt[/email] -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@hypertracker[1].txt[/email] -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@image.masterstats[1].txt[/email] -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@ivwbox[2].txt[/email] -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@linksynergy[1].txt[/email] -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@login.tracking101[2].txt[/email] -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@mediaplex[2].txt[/email] -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@meijer.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@northwestairlines.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@overture[2].txt[/email] -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@partygaming.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@perf.overture[1].txt[/email] -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@phg.hitbox[1].txt[/email] -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@powellsbooks.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@pro-market[1].txt[/email] -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@qksrv[1].txt[/email] -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@questionmarket[1].txt[/email] -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@revenue[1].txt[/email] -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@rotator.adjuggler[1].txt[/email] -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@sales.liveperson[1].txt[/email] -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@sel.as-us.falkag[1].txt[/email] -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@servedby.advertising[2].txt[/email] -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@server.iad.liveperson[2].txt[/email] -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@server3.web-stat[1].txt[/email] -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@serving-sys[2].txt[/email] -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@spylog[2].txt[/email] -> TrackingCookie.Spylog : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@stat.onestat[1].txt[/email] -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@statcounter[2].txt[/email] -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@stats1.reliablestats[2].txt[/email] -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@statse.webtrendslive[1].txt[/email] -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@targetnet[1].txt[/email] -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@test.coremetrics[1].txt[/email] -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@tradedoubler[1].txt[/email] -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@trafic[1].txt[/email] -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@tribalfusion[2].txt[/email] -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@twci.coremetrics[1].txt[/email] -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@valueclick[1].txt[/email] -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@valueclick[2].txt[/email] -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@weborama[2].txt[/email] -> TrackingCookie.Weborama : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@webstat[2].txt[/email] -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www.burstbeacon[1].txt[/email] -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www.click2begin[1].txt[/email] -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www.myaffiliateprogram[1].txt[/email] -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www.smartadserver[2].txt[/email] -> TrackingCookie.Smartadserver : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www3.click2begin[1].txt[/email] -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www4.click2begin[2].txt[/email] -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@www6.click2begin[1].txt[/email] -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@yadro[1].txt[/email] -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@z1.adserver[1].txt[/email] -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Cookies\i-fang [email]ling@zedo[2].txt[/email] -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\I-Fang Ling\Local Settings\Temporary Internet Files\Content.IE5\3BDL1HPE\mediaview[1].cab/elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\HijackThis\backups\backup-20060226-143314-472.dll -> Adware.PurityScan : Cleaned with backup
C:\HijackThis\backups\backup-20060226-143314-474.dll -> Adware.HotSearchBar : Cleaned with backup
C:\Program Files\eMule\update\update.exe -> Dropper.Agent.ug : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_445800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_453800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\alitb\bar.dll -> Adware.Alibabar : Cleaned with backup
C:\WINDOWS\system32\alitb\update.exe -> Adware.Alibabar : Cleaned with backup
C:\WINDOWS\system32\alitb\__new\bar.cab/bar.dll -> Adware.Alibabar : Cleaned with backup
C:\WINDOWS\system32\alitb\__new\bar.cab/update.exe -> Adware.Alibabar : Cleaned with backup
C:\WINDOWS\system32\alitb\__new\bar.dll -> Adware.Alibabar : Cleaned with backup
C:\WINDOWS\system32\alitb\__new\update.exe -> Adware.Alibabar : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\WinATS.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup



::Report End


Logfile of HijackThis v1.99.1
Scan saved at 4:18:17 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
C:\Program Files\DreyeSrv\Service\DrSvPush.exe
C:\Program Files\DreyeSrv\Service\Download.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\M?crosoft\r?gedit.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\HijackThis\HijackThis.exe


R3 - URLSearchHook: (no name) - {4B696C0A-D495-D164-C805-A998CE14F8E8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [YDTMain.exe] C:\PROGRA~1\YDT\YDTMain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinkrag.exe FI002
O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\system32\ehczrw312.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Ttos] "C:\Program Files\npba\otcl.exe" -vt yazb
O4 - HKCU\..\Run: [Lesh] C:\Program Files\Common Files\M?crosoft\r?gedit.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinkrag.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert for CLI - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111033647886
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140977426744
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll
O23 - Service: Dreye Enterprise Service - Unknown owner - C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

What should I do next? Thank you soooooooooooooo much.

Edited by happygeek: fixed formatting

0

That is correct. Now have HJT remove these, you can have it remove it in normal mode.

R3 - URLSearchHook: (no name) - {4B696C0A-D495-D164-C805-A998CE14F8E8} - (no file)

O4 - HKLM\..\Run: [YDTMain.exe] C:\PROGRA~1\YDT\YDTMain.exe

O4 - HKLM\..\Run: [H357WLF] "C:\WINDOWS\system32\ehczrw312.exe"

O4 - HKCU\..\Run: [Ttos] "C:\Program Files\npba\otcl.exe" -vt yazb

O4 - HKCU\..\Run: [Lesh] C:\Program Files\Common Files\M?crosoft\r?gedit.exe

When done reboot. And post a new log, but first check if your computer is still showing signs of infection.

0

I used McAfee and ewido to scan my computer. McAfee found nothing, but ewido found two more infected files.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           7:20:22 PM, 2/26/2006
+ Report-Checksum:      BBA77F58


+ Scan result:


C:\HijackThis\backups\backup-20060226-143314-613.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsg311.dll -> Adware.EZula : Cleaned with backup



::Report End
---------------------------------------------------------------------------


Then I run the HijackThis.


Logfile of HijackThis v1.99.1
Scan saved at 7:24:25 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
C:\Program Files\DreyeSrv\Service\DrSvPush.exe
C:\Program Files\DreyeSrv\Service\Download.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinkrag.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinkrag.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert for CLI - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111033647886
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140977426744
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll
O23 - Service: Dreye Enterprise Service - Unknown owner - C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Thank you~ ^o^

Edited by happygeek: fixed formatting

0

Hello, I kept scanning my computer by ewido until there was no more infected files, and then I got the Hijack logfile. Hope it's clean now. Thank you for your help!

Logfile of HijackThis v1.99.1
Scan saved at 1:27:45 AM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
C:\Program Files\DreyeSrv\Service\DrSvPush.exe
C:\Program Files\DreyeSrv\Service\Download.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dreye\Dreye.exe
C:\Program Files\Dreye\PeaDict\RtDict.exe
C:\Program Files\Dreye\DreyeCl\DrClPush.exe
C:\Program Files\Dreye\Peadict\Dict.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinkrag.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinkrag.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert for CLI - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111033647886
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140977426744
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll
O23 - Service: Dreye Enterprise Service - Unknown owner - C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

0

Hi, There are still some items im not to sure about...but im pretty sure they are programs you installed. How is your computer running?

If its running well, have a look here, for a list of programs that can help keep you protected.

http://www.toughadmin.com/forum/viewtopic.php?t=23

If you dont think it clean post back and describe the problems.

0

There is no more AD wedsites showing up when I open IE. If I scan my computer by ewido, it still could find 2 or 4 infected files sometimes. If that is noraml condition, there is no more problem I am aware of. Really appreciate!!

0

If the files it finds are cookies, then your find, they are used to remember different information about websites you visited, and are usally harmless. If there not cookies, post the name of the virus it finds.

0

hiya dude,im no pc guru by any menas.but i will recommend zone alarm over mcaffe any day of the week.if you read alot of reviews like i do,theres no better according to the experts.avg free edition,avast,adaware se and spybot all good too.arm yourself with those plus a good router.that should keep the horrible little spywares away from your pc.hope it helps.hi to the rest of y`all.thank the lord for this site is all i can say.seeya.ow by the way just google search for any of the products i mentioned.and use zone alarm pro free trial.roger and out :cool: off to my bed where the hackers and spyware cant get me. :cheesy:

0

Yes. Just like you say that they are all cookies, so my computer is probably safe right now. This is actually a good experience. I really learn a lot. Previously, I always reform my computer when it's got attacked. This time I learned to fight first. Thank you for helping me. Really really appreciate!!

I will check out the software you suggest. Thank you.

0

quixotic,

Unfortunately, your HJT log still indicates the presence of at least two different infections, and there may be other infections present on you system as well which aren't being reported by HijackThis. Please do the following:

A) Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner

TrojanScan


B) You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

> Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open McAfee and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.


> Run HijackThis, put a check in the boxes to the left of the following entries, and then click the "Fix checked" button:

O2 - BHO: Yvakt Class - {8EA23D66-E057-4D62-A8C0-86961B453F07} - C:\WINDOWS\system32\lsoda.dll
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinkrag.exe FI002
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinkrag.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - {E56528EF-9651-4D4E-B72D-FA04867AD3CF} - C:\WINDOWS\system32\lsoda.dll

> Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu; check "Show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Close Explorer after that.

- Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run Cleaner

It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.


- Run McAfee, MS Antispyware, and ewido; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

- Run Spy Sweeper.
* Under the Sweep Options tab, select ALL options under 'What to Sweep'.
* Click the "Sweep" icon and then "Start" to begin scanning.
*When the scan completes, click Next to automatically quarantine all detected items.
*Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.

- Open Windows explorer again, search for the following files, and delete them if found:

C:\WINDOWS\system32\lsoda.dll
C:\WINDOWS\system32\lwinkrag.exe


> Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the logs that ewido and Spy Sweeper generated.

0

lol. I just want to make sure they walk away squeaky clean, T :mgreen:

BTW- thanks for picking up some of the slack around here lately; we definitely appreciate the help! :)

0

Hello~

I raised the victory flag too soon. This battle is not finished yet. I have done all the instruction step by step. Here are the reports. Are you ready? ;)

ewido

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          10:10:33 PM, 3/1/2006
 + Report-Checksum:     22FA0543

 + Scan result:

    C:\HijackThis\backups\backup-20060301-054750-848.dll -> Adware.Suggestor : Cleaned with backup
    C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_0_0_445800.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_448500.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_448600.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_453800.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup


::Report End

Spy Sweeper

********
10:13 PM: |       Start of Session, Wednesday, March 01, 2006       |
10:13 PM: Spy Sweeper started
10:13 PM: Sweep initiated using definitions version 623
10:13 PM: Starting Memory Sweep
10:15 PM: Memory Sweep Complete, Elapsed Time: 00:02:31
10:15 PM: Starting Registry Sweep
10:15 PM:   Found Adware: cnsmin
10:15 PM:   HKLM\software\classes\typelib\{f97e75a4-0103-4f27-a752-327b600b1130}\  (9 subtraces) (ID = 106209)
10:15 PM:   HKCR\typelib\{f97e75a4-0103-4f27-a752-327b600b1130}\  (9 subtraces) (ID = 106266)
10:15 PM:   Found Adware: mirar webband
10:15 PM:   HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135063)
10:15 PM:   Found Adware: clkoptimizer
10:15 PM:   HKLM\software\qstat\  (5 subtraces) (ID = 769771)
10:15 PM:   HKLM\software\qstat\ || brr (ID = 877670)
10:15 PM:   Found Adware: elitemediagroup-pop64
10:15 PM:   HKCR\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\  (8 subtraces) (ID = 967532)
10:15 PM:   HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\  (8 subtraces) (ID = 967541)
10:15 PM:   HKCR\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\  (9 subtraces) (ID = 967550)
10:15 PM:   HKLM\software\classes\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\  (8 subtraces) (ID = 967592)
10:15 PM:   HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\  (8 subtraces) (ID = 967601)
10:15 PM:   HKLM\software\classes\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\  (9 subtraces) (ID = 967610)
10:15 PM:   HKCR\mirar_dummy_ats.mirar_dummy_ats1\  (5 subtraces) (ID = 1055242)
10:15 PM:   HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\  (3 subtraces) (ID = 1055248)
10:15 PM:   HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\  (1 subtraces) (ID = 1055250)
10:15 PM:   HKCR\clsid\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75}\  (11 subtraces) (ID = 1055256)
10:15 PM:   HKCR\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\  (9 subtraces) (ID = 1055268)
10:15 PM:   HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1\  (5 subtraces) (ID = 1055285)
10:15 PM:   HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\  (3 subtraces) (ID = 1055291)
10:15 PM:   HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\  (1 subtraces) (ID = 1055293)
10:15 PM:   HKLM\software\classes\clsid\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75}\  (11 subtraces) (ID = 1055311)
10:15 PM:   HKLM\software\classes\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\  (9 subtraces) (ID = 1055323)
10:15 PM:   Found Adware: purityscan
10:15 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroupoin\  (2 subtraces) (ID = 1070163)
10:15 PM:   HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/elite.ocx\  (2 subtraces) (ID = 1137453)
10:15 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cnsminkp\  (8 subtraces) (ID = 1147491)
10:15 PM:   Found Adware: ezula ilookup
10:15 PM:   HKCR\typelib\{82910ce3-d86a-435a-a519-6a8c369855d3}\  (9 subtraces) (ID = 1157638)
10:15 PM:   HKLM\software\classes\typelib\{82910ce3-d86a-435a-a519-6a8c369855d3}\  (9 subtraces) (ID = 1157695)
10:15 PM:   Found Adware: safesearch
10:15 PM:   HKLM\software\microsoft\windows\currentversion\app paths\irism\  (2 subtraces) (ID = 1160093)
10:15 PM:   HKLM\software\microsoft\windows\currentversion\app paths\irssyncd\  (2 subtraces) (ID = 1160096)
10:15 PM:   HKLM\software\irismon\  (20 subtraces) (ID = 1165615)
10:16 PM:   HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
10:16 PM:   HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {5d73ee86-05f1-49ed-b850-e423120ec338} (ID = 1032318)
10:16 PM: Registry Sweep Complete, Elapsed Time:00:00:28
10:16 PM: Starting Cookie Sweep
10:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:16 PM: Starting File Sweep
10:18 PM:   cns.exe (ID = 236371)
10:18 PM:   Found Adware: zenosearchassistant
10:18 PM:   nt68rrtc12.sys (ID = 220230)
10:23 PM:   cns.dll (ID = 53245)
10:29 PM:   yoinsi.exe (ID = 213483)
10:34 PM:   Found Adware: quicklink search toolbar
10:34 PM:   ag3uuw7.mbc (ID = 208796)
10:35 PM:   elitemediagroupoinuninstaller.exe (ID = 213484)
10:36 PM: File Sweep Complete, Elapsed Time: 00:20:24
10:36 PM: Full Sweep has completed.  Elapsed time 00:23:31
10:36 PM: Traces Found: 222
10:53 PM: Removal process initiated
10:53 PM:   Quarantining All Traces: cnsmin
10:53 PM:   Quarantining All Traces: mirar webband
10:54 PM:   Quarantining All Traces: clkoptimizer
10:54 PM:   Quarantining All Traces: elitemediagroup-pop64
10:54 PM:   Quarantining All Traces: purityscan
10:54 PM:   Quarantining All Traces: ezula ilookup
10:54 PM:   Quarantining All Traces: safesearch
10:54 PM:   Quarantining All Traces: zenosearchassistant
10:54 PM:   Quarantining All Traces: quicklink search toolbar
10:54 PM: Removal process completed.  Elapsed time 00:00:28
10:55 PM: Deletion from quarantine initiated
10:55 PM: Processing: safesearch
10:55 PM: Processing: cnsmin
10:55 PM: Processing: clkoptimizer
10:55 PM: Processing: elitemediagroup-pop64
10:55 PM: Processing: mirar webband
10:55 PM: Processing: quicklink search toolbar
10:55 PM: Processing: ezula ilookup
10:55 PM: Processing: purityscan
10:55 PM: Processing: zenosearchassistant
10:55 PM: Deletion from quarantine completed.  Elapsed time 00:00:00
********
5:08 AM: |       Start of Session, Wednesday, March 01, 2006       |
5:08 AM: Spy Sweeper started
5:10 AM: Your spyware definitions have been updated.
5:11 AM: Updating spyware definitions
5:11 AM: Your definitions are up to date.
5:11 AM: Updating spyware definitions
5:11 AM: Your definitions are up to date.
5:35 AM: Processing Startup Alerts
5:35 AM:   Allowed Startup entry: Windows Defender
5:38 AM: Processing Startup Alerts
5:38 AM:   Allowed Startup entry: wextract_cleanup0
5:49 AM: IE Security Shield:  found: C:\HIJACKTHIS\HIJACKTHIS.EXE -- IE Security modification allowed at user request
10:12 PM: Program Version 4.5.9  (Build 709)  Using Spyware Definitions 623
10:13 PM: |       End of Session, Wednesday, March 01, 2006       |

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 11:13:11 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
C:\Program Files\DreyeSrv\Service\DrSvPush.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\DreyeSrv\Service\Download.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Network Associates\VirusScan\MCUPDATE.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert for CLI - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111033647886[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140977426744[/url]
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - [url]http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab[/url]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www3.ca.com/securityadvisor/virusinfo/webscan.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - [url]http://www.windowsecurity.com/trojanscan/axscan.cab[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326[/url]
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url]http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Dreye Enterprise Service - Unknown owner - C:\Program Files\DreyeSrv\Service\DrEntSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

THANK YOU ALL

Edited by mike_2000_17: Fixed formatting

0

It looks like the detection and removal utilities did their jobs; your log is clean now :)
Does the system appear to you to be infection-free now, or are you still experiencing odd/suspicious behaviour?

0

I am so glad to hear that~ :D
My computer is running well now, and there is no problem I am aware of. Thank you sooooooo much! I really learn a lot. You guys are so cool. Good Luck!!

0

Glad we could help :)

Now that we've finished disinfecting the system, you should uninstall Webroot Spysweeper (unless you want to purchase the product, that is); the program will stop working entirely when the trial period expires.
I'd keep ewido installed though. When the trial period for ewido expires, the automatic update and real-time protection features will become disabled, but the main portions of the program will continue to be fully functional. In other words, ewido can still be used to scan and clean your system; you'll just have to remember to update it manually before running scans.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.