Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: TFL on January 29, 2008, 02:05:42 PM
-
Hello all. I am a user of avast! 4.7 Pro. I am using Window XP SP2 and the browser I am using is IE5. There are something strange in my compuer. When I am not connected to the Internet, there is nothing happen. However when I connected to the Internet, my computer starts to recieve and transfer a large amount of data automatically without my order. And then the whole system lag down, the utility rate of CPU increase to a high rate of 60%-80%, and I even can't open my IE. But when the connection is switch off, the computer run as fast as usual, seems that there is nothing happen, just as fast as before. When I use avast! to scan the hard discs, nothing is found. (But there was a lot file being infected before and I sent all of them to the chest.)
What can I do with this? Can anyone help?
-
you could be infected with a bot, which uses ur computer to infect other computers as well. Not sure if this will help, but you might want to try a-square's antidialer program (its free). I'd still wait to hear from an avast person who might know better than me. Also, you should scan your computer with a good antispyware program in addition to avast such as a-squared, Superantispyware, or Spywareterminator (ad-aware and spybot do not detect enough in my opinion).
You might also want to update IE5 to IE7.
To see what infections u might have, you should download a program called Hijackthis (abbreviated HJT) from trend micro. Once u download it, run it and save a log file. Then upload the file onto this forum topic in a followup post. This will help the avast team to help you, but i'll also take a look by uploading your log to http:// www.hijackthis.de/ . They can help you more than i can from there.
Please only quarantine any infections found from a-squared or Superantispyware free version. Please do not fix any programs using HJT, just post the log :D
-
Thanks for your help.
Sorry that I made a mistake, the IE I use should be IE6, but I think it makes no different, doesn't it?
The a-squared find nothing, but the situation doesn't change, but even worse, the utility rate CPU increase to a crazy rate of 100% today.....
Here is the HJT log :
Logfile of HijackThis v1.99.1
Scan saved at 16:05:16, on 30/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\Boy\My Documents\HDDLife 2.8.98\HDDLife 2.8.98\HDDlifePro-v2.8.98\HDDlifePro-v2.8.98\HDDlifePro.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Boy\桌面\hijackthis_199\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B5494892-DBD9-4F05-8992-A691C8CCA9A4} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
-
Log continue :
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK
O8 - Extra context menu item: &使用BitComet下載本頁視訊 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 使用BitComet下載全部連結 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載連結(&B) - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http://cop.dusee.cn/p2ptest/clientx12500.cab
O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http://secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager諷秶啋璃) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A090583-2E4C-462E-9339-26147CD6536D}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for your help...
-
As philly12 has suggested, the high internet activity while connected suggests your computer may be a zombie- part of a larger botnet and being used for illegal activity.
All I can see in the HijackThis! log is some adware, which suggests that you may have some hidden malware- a rootkit in other words.
Try some rootkit scanners. If they start telling you there is a rootkit present, the best advice is always to reinstall the operating system to ensure that the computer is returned to your control. The tools below may remove a rootkit found, but not with a 100% guarantee.
Panda Antirootkit (http://www.softpedia.com/get/Antivirus/Panda-Anti-Rootkit.shtml)
Blacklight (http://www.f-secure.com/blacklight/)
AVG Anti-Rootkit (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5)
Trend Micro Rootkit Buster (http://www.trendmicro.com/download/rbuster.asp)
McAfee Rootkit Detective (http://www.antirootkit.com/software/McAfee-Rootkit-Detective.htm)
Sophos AntiRootki (http://www.antirootkit.com/software/Sophos-Antirootkit.htm)
-
I have tried the Panda and the AVG Antirootkit*, but still nothing is found........
What can that be? Or is that really cause by virus/worm? Is there any other possibility, may be there are some mistake in setting? Well I am just guessing blindly...... ::)
If I can't find out what it is, can I trace where it is connected to? May be this can help if I can....
*All scanning I have before is in-depth.
-
A good third-party firewall would help you trace the connection.
However, one anti-rootkit can find something another misses, so I'd run all the scanners first.
-
If you are running Windows XP SP2 it may be trying to download that IE7 update for you. Especially if you have "Automatically check for updates to Internet Explorer" checked in TOOLS - INTERNET OPTIONS - ADVANCED scroll down a bit in advanced and you might see what I'm talking about. It may also be looking for a lot of other updates as well.
Just a thought....
UPDATED: I just was reading through your log. You have Symantec running. Do you have 2 antivirus software packages running at the same time? If so this is not good.
Also you have Google update service running as well as Real Audio updater.
-
:) Hi :
As "Darth" pointed out, the "Log" of the outdated Version of HijackThis
you are using ( should uninstall the 1.99.1 version, then get the latest
2.0.2 ver at www.filehippo.com/download_hijackthis ) shows at least 2
References to Symantec/Norton, including something called "BootWarn",
that should be removed by you using the Norton Removal Tool, available
at www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html .
Unless you have an "Older" Operating System, I would NEVER recommend
using a-squared; much more reliable is "SUPERAntiSpyware" .
And as to your 100% CPU Usage, have you checked the "Process" tab
of your "Task Manager" to see which "One" is running "High" !?
-
sigh...yes u are infected. I will post below which ones are bad, possibly bad, and unknown if bad. Please do not fix ANYTHING until an avast admin gives the go ahead for the files i'm about to mention. You should also download the LATEST version of hjt and post another log (but make it an attachment to the post this time). You may want to consider updating to IE7 for added security and updates.
Now the following are bad, however wait for conformation from avast before fixing:
TO EVERYONE: PLEASE DO NOT CLICK ON THE FOLLOWING LINKS in the report.
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager諷秶啋璃) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
The following are possible nasties, but not for sure. DEFINETLY wait for avast conformation before fixing these, they may be perfectly safe but i'm not sure:
C:\Documents and Settings\Boy\My Documents\HDDLife 2.8.98\HDDLife 2.8.98\HDDlifePro-v2.8.98\HDDlifePro-v2.8.98\HDDlifePro.exe
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http://cop.dusee.cn/p2ptest/clientx12500.cab
O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http://secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
The following is unknown. Wait till avast confirms if this is safe or not...don't fix it till then:
O2 - BHO: (no name) - {B5494892-DBD9-4F05-8992-A691C8CCA9A4} - C:\WINDOWS\system32\jkhfg.dll (file missing)
Also, please download SUPERantispyware, update it, and run a full scan. Let us know the results. I don't know why spiritsongs has a problem with a-squared. It has saved me in the past by finding two instances of adware that SUPERantispyware had missed. I would still recommend scanning your comp with a-squared and especially a-squared antidialer, but if you prefer to trust spiritsongs i wont blame you. At least do a scan with SUPERantispyware. You should prolly do a scan before fixing anything in your HJT, quarantine any infections found, and do another scan with HJT and see what is fixed or not. But still wait till avast looks over my recommendations before fixing anything.
-
Thanks a lot. I am trying these method.
However, I should have removed my Norton long time ago. I have installed Google Toolbar, but I don't know there are updates for it, also the Real Player. And I don't know there is Symantec in my computer.....
For the process one
http://ma.6600.org/TFL_Temp_Storage/process.jpg (http://ma.6600.org/TFL_Temp_Storage/process.jpg)
The following is the log of HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48:48, on 31/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Boy\My Documents\CuteFTP_Pro_V8_0_7_FTP_____\CuteFTP_Pro_V8_1_.0.7\cuteftppro.exe
C:\Documents and Settings\Boy\My Documents\CuteFTP_Pro_V8_0_7_FTP_____\CuteFTP_Pro_V8_1_.0.7\ftpte.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B5494892-DBD9-4F05-8992-A691C8CCA9A4} - C:\WINDOWS\SYSTEM32\JKHFG.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK
O8 - Extra context menu item: &使用BitComet下載本頁視訊 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 使用BitComet下載全部連結 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載連結(&B) - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http://cop.dusee.cn/p2ptest/clientx12500.cab
O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http://secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager諷秶啋璃) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A090583-2E4C-462E-9339-26147CD6536D}: NameServer = 218.102.32.208 205.252.144.126
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
-
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 10056 bytes
The SuperAntiSpyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/31/2008 at 10:24 PM
Application Version : 3.9.1008
Core Rules Database Version : 3392
Trace Rules Database Version: 1384
Scan type : Complete Scan
Total Scan Time : 00:59:33
Memory items scanned : 448
Memory threats detected : 0
Registry items scanned : 5248
Registry threats detected : 13
File items scanned : 52765
File threats detected : 206
Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
HKU\S-1-5-21-1757981266-823518204-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA}
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}
HKCR\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}
HKCR\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}\InprocServer32
HKCR\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFG.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}
Adware.Tracking Cookie
C:\Documents and Settings\Boy\Cookies\boy@2o7[1].txt
C:\Documents and Settings\Boy\Cookies\boy@counter1.sextracker[1].txt
C:\Documents and Settings\Boy\Cookies\boy@sextracker[2].txt
C:\Documents and Settings\Boy\Cookies\boy@tribalfusion[2].txt
C:\Documents and Settings\Boy\Cookies\boy@adult.wefong[1].txt
C:\Documents and Settings\Boy\Cookies\boy@tracker.icerocket[1].txt
C:\Documents and Settings\Boy\Cookies\boy@adopt.specificclick[1].txt
C:\Documents and Settings\Boy\Cookies\boy@h.starware[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.hinet[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ads.manyway[1].txt
C:\Documents and Settings\Boy\Cookies\boy@adbrite[2].txt
C:\Documents and Settings\Boy\Cookies\boy@m1.webstats.motigo[1].txt
C:\Documents and Settings\Boy\Cookies\boy@3.adbrite[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ads.adserver-centrelinks-hk[2].txt
C:\Documents and Settings\Boy\Cookies\boy@serving-sys[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.zanox[1].txt
C:\Documents and Settings\Boy\Cookies\boy@advertising[1].txt
C:\Documents and Settings\Boy\Cookies\boy@fastclick[1].txt
C:\Documents and Settings\Boy\Cookies\boy@justsexyvideos[2].txt
C:\Documents and Settings\Boy\Cookies\boy@textlink[1].txt
C:\Documents and Settings\Boy\Cookies\boy@zedo[1].txt
C:\Documents and Settings\Boy\Cookies\boy@adultfriendfinder[3].txt
C:\Documents and Settings\Boy\Cookies\boy@adimages.sina.com[1].txt
C:\Documents and Settings\Boy\Cookies\boy@media.funpic[1].txt
C:\Documents and Settings\Boy\Cookies\boy@media.adrevolver[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.addeliver[2].txt
C:\Documents and Settings\Boy\Cookies\boy@atdmt[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ads.adbrite[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.guruonline.com[2].txt
C:\Documents and Settings\Boy\Cookies\boy@metacafe.122.2o7[2].txt
C:\Documents and Settings\Boy\Cookies\boy@tripod[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.yieldmanager[3].txt
C:\Documents and Settings\Boy\Cookies\boy@stats.adbrite[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ads1.adserver-centrelinks-hk[1].txt
C:\Documents and Settings\Boy\Cookies\boy@atwola[1].txt
C:\Documents and Settings\Boy\Cookies\boy@xbeauty.liveadulthost[1].txt
C:\Documents and Settings\Boy\Cookies\boy@casalemedia[1].txt
C:\Documents and Settings\Boy\Cookies\boy@eas.apm.emediate[2].txt
C:\Documents and Settings\Boy\Cookies\boy@spylog[1].txt
C:\Documents and Settings\Boy\Cookies\boy@sexlist[2].txt
C:\Documents and Settings\Boy\Cookies\boy@yadro[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ads.addynamix[1].txt
C:\Documents and Settings\Boy\Cookies\boy@specificclick[2].txt
C:\Documents and Settings\Boy\Cookies\boy@idea.t2click[2].txt
C:\Documents and Settings\Boy\Cookies\boy@try.starware[2].txt
C:\Documents and Settings\Boy\Cookies\boy@sonyscehk.112.2o7[1].txt
C:\Documents and Settings\Boy\Cookies\boy@tripod.lycos[1].txt
C:\Documents and Settings\Boy\Cookies\boy@bs.serving-sys[1].txt
C:\Documents and Settings\Boy\Cookies\boy@sexdvd2000[2].txt
C:\Documents and Settings\Boy\Cookies\boy@tacoda[1].txt
C:\Documents and Settings\Boy\Cookies\boy@hentaicounter[2].txt
C:\Documents and Settings\Boy\Cookies\boy@toplist[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ad[1].txt
C:\Documents and Settings\Boy\Cookies\boy@stat[2].txt
C:\Documents and Settings\Boy\Cookies\boy@movie.jp-sex[2].txt
C:\Documents and Settings\Boy\Cookies\boy@sexinhongkong[1].txt
C:\Documents and Settings\Boy\Cookies\boy@clicksor[2].txt
C:\Documents and Settings\Boy\Cookies\boy@server.cpmstar[1].txt
C:\Documents and Settings\Boy\Cookies\boy@mywebsearch[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ehg-veohnetworksinc.hitbox[1].txt
C:\Documents and Settings\Boy\Cookies\boy@cgi-bin[6].txt
C:\Documents and Settings\Boy\Cookies\boy@adrevolver[1].txt
C:\Documents and Settings\Boy\Cookies\boy@doubleclick[1].txt
C:\Documents and Settings\Boy\Cookies\boy@richmedia.yahoo[2].txt
C:\Documents and Settings\Boy\Cookies\boy@apmebf[2].txt
C:\Documents and Settings\Boy\Cookies\boy@adultadworld[1].txt
C:\Documents and Settings\Boy\Cookies\boy@counter10.sextracker[1].txt
C:\Documents and Settings\Boy\Cookies\boy@overture[2].txt
C:\Documents and Settings\Boy\Cookies\boy@revenue[2].txt
C:\Documents and Settings\Boy\Cookies\boy@liveadulthost[2].txt
C:\Documents and Settings\Boy\Cookies\boy@statcounter[1].txt
C:\Documents and Settings\Boy\Cookies\boy@banners.adultfriendfinder[2].txt
-
C:\Documents and Settings\Boy\Cookies\boy@ads.epochtimes[1].txt
C:\Documents and Settings\Boy\Cookies\boy@112.2o7[1].txt
C:\Documents and Settings\Boy\Cookies\boy@adserver[1].txt
C:\Documents and Settings\Boy\Cookies\boy@www.burstnet[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.adplan-ds[1].txt
C:\Documents and Settings\Boy\Cookies\boy@adserver.easyad[1].txt
C:\Documents and Settings\Boy\Cookies\boy@4.adbrite[2].txt
C:\Documents and Settings\Boy\Cookies\boy@hitbox[2].txt
C:\Documents and Settings\Boy\Cookies\boy@read[2].txt
C:\Documents and Settings\Boy\Cookies\boy@acronymfinder[1].txt
C:\Documents and Settings\Boy\Cookies\boy@total.t2click[2].txt
C:\Documents and Settings\Boy\Cookies\boy@server.iad.liveperson[2].txt
C:\Documents and Settings\Boy\Cookies\boy@xiti[1].txt
C:\Documents and Settings\Boy\Cookies\boy@rakuten.112.2o7[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ads2.adserver-centrelinks-hk[1].txt
C:\Documents and Settings\Boy\Cookies\boy@clickaider[1].txt
C:\Documents and Settings\Boy\Cookies\boy@cgi-bin[1].txt
C:\Documents and Settings\Boy\Cookies\boy@yesex[2].txt
C:\Documents and Settings\Boy\Cookies\boy@mediamgr.ugo[2].txt
C:\Documents and Settings\Boy\Cookies\boy@burstnet[2].txt
C:\Documents and Settings\Boy\Cookies\boy@realmedia[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ads.veoh[2].txt
C:\Documents and Settings\Boy\Cookies\boy@mediaplex[1].txt
C:\Documents and Settings\Boy\Cookies\boy@revsci[2].txt
C:\Documents and Settings\Boy\Cookies\boy@ad1.clickhype[1].txt
C:\Documents and Settings\Boy\Cookies\boy@partypoker[2].txt
C:\Documents and Settings\A\Cookies\a@ad-cross.co[1].txt
C:\Documents and Settings\A\Cookies\a@ad-indicator[1].txt
C:\Documents and Settings\A\Cookies\a@ad.yieldmanager[1].txt
C:\Documents and Settings\A\Cookies\a@ad1.dmcmedia.co[1].txt
C:\Documents and Settings\A\Cookies\a@atdmt[2].txt
C:\Documents and Settings\A\Cookies\a@azjmp[2].txt
C:\Documents and Settings\A\Cookies\a@doubleclick[1].txt
C:\Documents and Settings\A\Cookies\a@hc2.humanclick[1].txt
C:\Documents and Settings\A\Cookies\a@msnportal.112.2o7[1].txt
C:\Documents and Settings\A\Cookies\a@mywebsearch[2].txt
C:\Documents and Settings\A\Cookies\a@nac.nasmedia.co[1].txt
C:\Documents and Settings\A\Cookies\a@nads6.nasads[2].txt
C:\Documents and Settings\A\Cookies\a@overture[1].txt
C:\Documents and Settings\A\Cookies\a@realmedia.co[1].txt
C:\Documents and Settings\A\Cookies\a@realmedia[1].txt
C:\Documents and Settings\A\Cookies\a@serving-sys[1].txt
C:\Documents and Settings\A\Cookies\a@sonyhk.112.2o7[1].txt
C:\Documents and Settings\A\Cookies\a@statcounter[2].txt
C:\Documents and Settings\A\Cookies\a@tripod[1].txt
C:\Documents and Settings\Boy\Cookies\boy@ad.yieldmanager[2].txt
C:\Documents and Settings\Boy\Cookies\boy@adultfriendfinder[2].txt
C:\Documents and Settings\Boy\Cookies\boy@pornaccess[1].txt
C:\Documents and Settings\Boy\Cookies\boy@track[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@2o7[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@4.adbrite[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@a.websponsors[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.hinet[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.iconadserver[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.ntv.co[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.yieldmanager[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.zanox[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad1.emediate[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adbrite[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adimages.sina.com[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adinterax[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adrevolver[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adrevolver[3].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adrevolver[4].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ads.adbrite[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ads.manyway[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ads.pointroll[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adserver[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adtech[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adultadworld[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@advertising[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@atdmt[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@atwola[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@audit.median[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@bluestreak[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@bobbibrown.mixmedia[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@bs.serving-sys[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@counter.hitslink[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@cupolaventures.112.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@custom-click[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@doubleclick[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@edge.ru4[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-deltatre.hitbox[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-dig.hitbox[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-gucciamericainc.hitbox[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-nokiafin.hitbox[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-technuity.hitbox[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@enhance[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@fastclick[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@hitbox[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@idea.t2click[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@langhamhotels.112.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@maxserving[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@media.adrevolver[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@mediaplex[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@msnportal.112.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@mywebsearch[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@nike.112.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@overture[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@perf.overture[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@publishers.clickbooth[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@questionmarket[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@realmedia[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@revsci[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@richmedia.yahoo[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@serving-sys[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[10].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[3].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[4].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[5].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[6].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[7].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[8].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@sonyhk.112.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@specificclick[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@standardcharteredbank.122.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@stat.onestat[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@statcounter[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@targetnet[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@tribalfusion[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@tripod[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@try.starware[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@valueclick.ne[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@vodafone.122.2o7[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@winantivirus[2].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@www.counters[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@www.itrafficads[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@xiti[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@yourmedia[1].txt
C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@zedo[2].txt
-
well you can go ahead and delete all the cookies (looks like you've been on porn sites..lol) from quarantine in Superantispyware but keep the mywebsearch and vundo infections in the quarantine. Sigh, this is worse than i thought. You have a vundo infection.
I think your hjt report was before your Superantispyware scan correct?? If so, could you post a new HJT report for us to examine and see what exactly the Superantispyware scan removed. Please upload the HJT log by going clicking the "additional options" when posting and uploading your log to your post instead of posting the entire log on the forum. SUPERantispyware does a good job, but it will prolly miss a few things. Also, you will need to eventually download vundofix, but please wait for an avast admin to give you instructions on how to use it. The admin may have you use combofix or some other program instead. There are a few options to dealing with a vundo infection (i've had one myself). Hopefully you'll get some real help soon, but i'll do my best in the meantime.
-
:) Hi :
According to the SUPERAntiSpyware log that was posted, there are at
least 3 Users of this computer, and the One known as "boy" is going to
Adult/Porn Sites, which dramatically increases the Chances of getting a
very serious "Infection" . Would recommend this STOP to reduce this
Possibility .
The Norton antivirus "BootWarn" is still showing in the HJT log as "running";
did you run the "Norton Removal Tool" ?
-
Sheessh, fellas, embarrass the poor kid, why don't you? :-[
-
:o
The one who goes to porn site is another user who shares the account with me.....I think.
Don't misapprehend it guys. 8)
I have removed the cookies, and ran the Norton remove already, seems that the computer run a little bit faster.
The HijackThis report is attached.
What is vundo?
(I am really a poor guy in computer.......)
-
the last HJT report was AFTER the scans and norton removal correct? The reason i ask is because you still have all the adware running in the report and the leftovers of Norton antivirus. I would have expected Superantispyware to do better than that. If it is not a new HJT report, please post a new one (make sure to overwrite the old report when saving the report or name it something different and upload it).
Vundo is an especially nasty type of adware that is very common. The good news, its very common so many programs can remove it. The bad news, its famous for a reason because its constantly evolving and infecting many computers.
-
This is the newest one, but I have only deleted the cookies found, the Vundo variant and My websearch is not yet deleted.....
Or I have just scanned a new one, let see if it is different, maybe I have uploaded a wrong one.
-
Well that is the updated log. The good news, Norton is gone. The bad news, all the adware is still there (although it may not be activated if Superantispyware has them quarantined). You still have the mywebsearch and vundo IN the quarantine correct?
I wish an avast admin would help...wonder what is keeping them. You will probably need to fix the following in HJT, but wait until alwil admin confirms it:
please no one click on the following links, you may get adware, you have been warned. TFL, i have added a space between the Http:// and the url to make the links unclickable. The actual file has them connected, but this creates a clickable link.
O8 - Extra context menu item: &Search - http:// edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager¿ØÖÆÔª¼þ) - http:// dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
The next couple are possible nasties, but some (or maybe all) are probably not. Please wait for an alwil admin to varify if they are safe or not:
O16 - DPF: HKJC Applet - https:// bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http:// cop.dusee.cn/p2ptest/clientx12500.cab
O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http:// secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http:// txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http:// w ww.gogobox.com.tw/neo.fld/GNowStarter.cab
I'm just curious, did you run a-squared (the normal program or antidialer) at all? If you didn't that is fine, but if you did I am wondering if it found anything. And just because the HJT entries of websearch and vundo are still there, they are probably not active if Superantispyware has them in quarantine. Keep them in quarantine for now. I will private message an avast admin that has helped me remove my vundo infection in the past. Please wait for conformation (and remember i'm doing this in my freetime and i am no expert, but I'm still trying to help).
BTW, i noticed that ur Chinese (from the speech to text software). I know it's early but happy new year (my gf is Chinese). You may also want to watch what you download from bitcommet. That might have also caused this in the first place in addition to porn sites. I'm not trying to embarrass you. I'm just trying to prevent future infections.
-
Hi there lets see what I can do - from the log I will need to use this programme
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
-
Seems that it is useless to explain......forget about it then. I have heard before that there are some program which can ban the porn sites.....can anyone suggest some (no matter it is free or not) ? Just for prevention.
For the a-squared, I have run it after your suggestion. And there is a long list of quarantine, including some value, key and also file. But seems that I can't made a log for it......and the list is too long that I can't use screen caught.....
I have already run the ComboFix and the HJT. The two log is attached.
Thanks to everyone......I felt an immense gratitude to everyone, especially to philly, who pay most attention to this and give a lot of opinion.....
Actually I am from HK.....I am wonder how you found my nationality by my words.......Is it really a big difference or just because my English is very weak?
-
You still need to kill the Vundo entry.
You can do so by following the instructions beginning:
Please print these instructions out for use in Safe Mode.
and ending:
Press enter to exit the program then manually reboot your computer.
Here:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t35849.html (http://www.bleepingcomputer.com/forums/lofiversion/index.php/t35849.html)
The HijackThis! entry you will need to fix is this one:
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
-
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\Documents and Settings\Boy\com_securenetasia_p11wrapper2.dll
C:\WINDOWS\system32\jkhfg.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfg]
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
4. Save the above as CFScript.txt
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
(http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif)
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:- Combofix.txt
- A new HijackThis log.
-
I have run the combofix, and the log is attached.
But I don't know how to use the VundoFix, when I open the program, it don't shows the message that the instruction shows but only two button--"Scan Vundo" and "Remove Vundo". It seems that the version isn't match, the one I download is v6.7.7 but in the instruction it is v2.15 .
-
The jkhfg.dll entry has gone from your log now, so you don't need those instructions.
jkhfg.dll was a Vundo infection, so you can hit the "scan Vundo" button just to check that Vundo has gone.
If VundoFix finds any traces, run again and hit the "Remove Vundo" button.
-
Logs look clean to me
Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:
1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE
You now have a clean restore point, to get rid of the bad ones:
1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
-
I figured you were Chinese because you had a Chinese speech to text software program installed on your computer. I hope your infection is clear and everything runs okay :D
-
Is that already clean.....? Seems not as fast as before.....
I have run the VundoFix and find this
C:\WINDOW\system32\RGSS100J.dll
And also there are something left in the quarantine of a-squared and SUPERAntiSpyware, do I need to clear them all?
-
Yes you can empty the quarantine.. I will search for stray files if you wish
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
The log is attached.
-
Looks good nothing worth talking about in there :D
-
:) Hi TFL :
Once you are "clean", I recommend you do the following :
1) Your Hijackthis log shows a slightly outdated version of Sun Java,
which can be a Source of getting a "Vundo" infection, which you had;
therefore, uninstall ALL Versions of this program you have, then go to
www.java.com to get the latest version .
2) To reduce the possibilities of "boy" going to Porn Sites, install the
very good & FREE "SpywareBlaster" from www.javacoolsoftware.com ;
there is a "Tutorial" on this program at
www.bleepingcomputer.com/tutorials/tutorial49.html .
I would not bother using the "System Snapshot" Section .
-
It is much better than before......thanks all for your kind help !