Author Topic: Can anyone help ?  (Read 13412 times)

0 Members and 1 Guest are viewing this topic.

Offline TFL

  • Newbie
  • *
  • Posts: 14
Can anyone help ?
« on: January 29, 2008, 02:05:42 PM »
Hello all. I am a user of avast! 4.7 Pro. I am using Window XP SP2 and the browser I am using is IE5. There are something strange in my compuer. When I am not connected to the Internet, there is nothing happen. However when I connected to the Internet, my computer starts to recieve and transfer a large amount of data automatically without my order. And then the whole system lag down, the utility rate of CPU increase to a high rate of 60%-80%, and I even can't open my IE. But when the connection is switch off, the computer run as fast as usual, seems that there is nothing happen, just as fast as before. When I use avast! to scan the hard discs, nothing is found. (But there was a lot file being infected before and I sent all of them to the chest.)

What can I do with this? Can anyone help?

Offline philly12

  • Full Member
  • ***
  • Posts: 156
  • Boring federal gov worker (slave)
Re: Can anyone help ?
« Reply #1 on: January 29, 2008, 05:24:15 PM »
you could be infected with a bot, which uses ur computer to infect other computers as well.  Not sure if this will help, but you might want to try a-square's antidialer program (its free).  I'd still wait to hear from an avast person who might know better than me.  Also, you should scan your computer with a good antispyware program in addition to avast such as a-squared, Superantispyware, or Spywareterminator (ad-aware and spybot do not detect enough in my opinion).

You might also want to update IE5 to IE7.

To see what infections u might have, you should download a program called Hijackthis (abbreviated HJT) from trend micro.  Once u download it, run it and save a log file.  Then upload the file onto this forum topic in a followup post.  This will help the avast team to help you, but i'll also take a look by uploading your log to http:// www.hijackthis.de/  .  They can help you more than i can from there.

Please only quarantine any infections found from a-squared or Superantispyware free version.  Please do not fix any programs using HJT, just post the log :D
« Last Edit: January 29, 2008, 06:40:36 PM by philly12 »

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #2 on: January 30, 2008, 10:28:35 AM »
Thanks for your help.

Sorry that I made a mistake, the IE I use should be IE6, but I think it makes no different, doesn't it?
The a-squared find nothing, but the situation doesn't change, but even worse, the utility rate CPU increase to a crazy rate of 100% today.....

Here is the HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 16:05:16, on 30/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\Boy\My Documents\HDDLife 2.8.98\HDDLife 2.8.98\HDDlifePro-v2.8.98\HDDlifePro-v2.8.98\HDDlifePro.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Boy\桌面\hijackthis_199\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B5494892-DBD9-4F05-8992-A691C8CCA9A4} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #3 on: January 30, 2008, 10:29:51 AM »
Log continue :

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK
O8 - Extra context menu item: &使用BitComet下載本頁視訊 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 使用BitComet下載全部連結 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載連結(&B) - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http://cop.dusee.cn/p2ptest/clientx12500.cab
O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http://secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager諷秶啋璃) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A090583-2E4C-462E-9339-26147CD6536D}: NameServer = 218.102.32.208 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for your help...

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Can anyone help ?
« Reply #4 on: January 30, 2008, 11:54:17 AM »
As philly12 has suggested, the high internet activity while connected suggests your computer may be a zombie- part of a larger botnet and being used for illegal activity.

All I can see in the HijackThis! log is some adware, which suggests that you may have some hidden malware- a rootkit in other words.

Try some rootkit scanners. If they start telling you there is a rootkit present, the best advice is always to reinstall the operating system to ensure that the computer is returned to your control. The tools below may remove a rootkit found, but not with a 100% guarantee.

Panda Antirootkit
Blacklight
AVG Anti-Rootkit
Trend Micro Rootkit Buster
McAfee Rootkit Detective
Sophos AntiRootki



     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #5 on: January 30, 2008, 02:02:14 PM »
I have tried the Panda and the AVG Antirootkit*, but still nothing is found........
What can that be? Or is that really cause by virus/worm? Is there any other possibility, may be there are some mistake in setting? Well I am just guessing blindly...... ::)

If I can't find out what it is, can I trace where it is connected to? May be this can help if I can....

*All scanning I have before is in-depth.
« Last Edit: January 30, 2008, 02:05:32 PM by TFL »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Can anyone help ?
« Reply #6 on: January 30, 2008, 02:07:13 PM »
A good third-party firewall would help you trace the connection.

However, one anti-rootkit can find something another misses, so I'd run all the scanners first.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Darth AkSarBen

  • Jr. Member
  • **
  • Posts: 58
    • Vern's Didgeridoo Site!
Re: Can anyone help ?
« Reply #7 on: January 30, 2008, 07:16:39 PM »
If you are running Windows XP SP2 it may be trying to download that IE7 update for you.  Especially if you have "Automatically check for updates to Internet Explorer" checked in TOOLS - INTERNET OPTIONS - ADVANCED   scroll down a bit in advanced and you might see what I'm talking about.  It may also be looking for a lot of other updates as well.
Just a thought....

UPDATED:  I just was reading through your log.  You have Symantec running.  Do you have 2 antivirus software packages running at the same time?  If so this is not good.   
Also you have Google update service running as well as Real Audio updater.
« Last Edit: January 30, 2008, 07:24:02 PM by Darth AkSarBen »
Cheers!

Vern
"I started out in life with nothing, and I've managed to keep most of it!"
http://vernsdidj.com  (Didgeridoo info, Bio plus other stuff)

Offline Spiritsongs

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1757
  • Ad-aware orientated Support forum(s)
Re: Can anyone help ?
« Reply #8 on: January 30, 2008, 08:03:39 PM »
 :)  Hi :

      As "Darth" pointed out, the "Log" of the outdated Version of HijackThis
      you are using ( should uninstall the 1.99.1 version, then get the latest
      2.0.2 ver at www.filehippo.com/download_hijackthis ) shows at least 2
      References to Symantec/Norton, including something called "BootWarn",
      that should be removed by you using the Norton Removal Tool, available
      at www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html .
      Unless you have an "Older" Operating System, I would NEVER recommend
      using a-squared; much more reliable is "SUPERAntiSpyware" .

      And as to your 100% CPU Usage, have you checked the "Process" tab
      of your "Task Manager" to see which "One" is running "High" !?
« Last Edit: January 30, 2008, 08:10:14 PM by Spiritsongs »
For the Best in what counts in Life :
www.tacf.org

Offline philly12

  • Full Member
  • ***
  • Posts: 156
  • Boring federal gov worker (slave)
Re: Can anyone help ?
« Reply #9 on: January 30, 2008, 08:47:44 PM »
sigh...yes u are infected.  I will post below which ones are bad, possibly bad, and unknown if bad.  Please do not fix ANYTHING until an avast admin gives the go ahead for the files i'm about to mention.  You should also download the LATEST version of hjt and post another log (but make it an attachment to the post this time).  You may want to consider updating to IE7 for added security and updates.

Now the following are bad, however wait for conformation from avast before fixing:
TO EVERYONE: PLEASE DO NOT CLICK ON THE FOLLOWING LINKS in the report.
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager諷秶啋璃) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab

O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)

The following are possible nasties, but not for sure.  DEFINETLY wait for avast conformation before fixing these, they may be perfectly safe but i'm not sure:

    C:\Documents and Settings\Boy\My Documents\HDDLife 2.8.98\HDDLife 2.8.98\HDDlifePro-v2.8.98\HDDlifePro-v2.8.98\HDDlifePro.exe

O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab

O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http://cop.dusee.cn/p2ptest/clientx12500.cab

O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http://secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB

O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab

O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab

The following is unknown.  Wait till avast confirms if this is safe or not...don't fix it till then:

O2 - BHO: (no name) - {B5494892-DBD9-4F05-8992-A691C8CCA9A4} - C:\WINDOWS\system32\jkhfg.dll (file missing)


Also, please download SUPERantispyware, update it, and run a full scan.  Let us know the results.  I don't know why spiritsongs has a problem with a-squared.  It has saved me in the past by finding two instances of adware that SUPERantispyware had missed.  I would still recommend scanning your comp with a-squared and especially a-squared antidialer, but if you prefer to trust spiritsongs i wont blame you.  At least do a scan with SUPERantispyware.  You should prolly do a scan before fixing anything in your HJT, quarantine any infections found, and do another scan with HJT and see what is fixed or not.  But still wait till avast looks over my recommendations before fixing anything.



« Last Edit: January 30, 2008, 08:52:39 PM by philly12 »

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #10 on: January 31, 2008, 02:52:05 PM »
Thanks a lot. I am trying these method.

However, I should have removed my Norton long time ago. I have installed Google Toolbar, but I don't know there are updates for it, also the Real Player. And I don't know there is Symantec in my computer.....
For the process one
http://ma.6600.org/TFL_Temp_Storage/process.jpg

The following is the log of HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48:48, on 31/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Boy\My Documents\CuteFTP_Pro_V8_0_7_FTP_____\CuteFTP_Pro_V8_1_.0.7\cuteftppro.exe
C:\Documents and Settings\Boy\My Documents\CuteFTP_Pro_V8_0_7_FTP_____\CuteFTP_Pro_V8_1_.0.7\ftpte.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B5494892-DBD9-4F05-8992-A691C8CCA9A4} - C:\WINDOWS\SYSTEM32\JKHFG.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK
O8 - Extra context menu item: &使用BitComet下載本頁視訊 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 使用BitComet下載全部連結 - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載連結(&B) - res://C:\Documents and Settings\Boy\My Documents\BitComet_0.95\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http://cop.dusee.cn/p2ptest/clientx12500.cab
O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http://secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager諷秶啋璃) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A090583-2E4C-462E-9339-26147CD6536D}: NameServer = 218.102.32.208 205.252.144.126
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
« Last Edit: January 31, 2008, 02:56:09 PM by TFL »

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #11 on: January 31, 2008, 02:57:05 PM »
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10056 bytes


The SuperAntiSpyware log


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2008 at 10:24 PM

Application Version : 3.9.1008

Core Rules Database Version : 3392
Trace Rules Database Version: 1384

Scan type       : Complete Scan
Total Scan Time : 00:59:33

Memory items scanned      : 448
Memory threats detected   : 0
Registry items scanned    : 5248
Registry threats detected : 13
File items scanned        : 52765
File threats detected     : 206

Adware.MyWebSearch
   HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
   HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
   HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
   HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
   HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
   HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
   C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
   HKU\S-1-5-21-1757981266-823518204-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}
   HKCR\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA}

Adware.Vundo Variant
   HKLM\Software\Classes\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}
   HKCR\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}
   HKCR\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}\InprocServer32
   HKCR\CLSID\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\JKHFG.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5494892-DBD9-4F05-8992-A691C8CCA9A4}

Adware.Tracking Cookie
   C:\Documents and Settings\Boy\Cookies\boy@2o7[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@counter1.sextracker[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@sextracker[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@tribalfusion[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@adult.wefong[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@tracker.icerocket[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@adopt.specificclick[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@h.starware[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.hinet[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads.manyway[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@adbrite[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@m1.webstats.motigo[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@3.adbrite[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads.adserver-centrelinks-hk[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@serving-sys[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.zanox[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@advertising[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@fastclick[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@justsexyvideos[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@textlink[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@zedo[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@adultfriendfinder[3].txt
   C:\Documents and Settings\Boy\Cookies\boy@adimages.sina.com[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@media.funpic[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@media.adrevolver[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.addeliver[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@atdmt[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads.adbrite[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.guruonline.com[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@metacafe.122.2o7[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@tripod[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.yieldmanager[3].txt
   C:\Documents and Settings\Boy\Cookies\boy@stats.adbrite[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads1.adserver-centrelinks-hk[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@atwola[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@xbeauty.liveadulthost[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@casalemedia[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@eas.apm.emediate[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@spylog[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@sexlist[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@yadro[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads.addynamix[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@specificclick[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@idea.t2click[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@try.starware[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@sonyscehk.112.2o7[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@tripod.lycos[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@bs.serving-sys[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@sexdvd2000[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@tacoda[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@hentaicounter[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@toplist[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@stat[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@movie.jp-sex[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@sexinhongkong[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@clicksor[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@server.cpmstar[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@mywebsearch[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ehg-veohnetworksinc.hitbox[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@cgi-bin[6].txt
   C:\Documents and Settings\Boy\Cookies\boy@adrevolver[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@doubleclick[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@richmedia.yahoo[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@apmebf[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@adultadworld[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@counter10.sextracker[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@overture[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@revenue[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@liveadulthost[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@statcounter[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@banners.adultfriendfinder[2].txt
   
« Last Edit: January 31, 2008, 03:34:32 PM by TFL »

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #12 on: January 31, 2008, 03:35:01 PM »
C:\Documents and Settings\Boy\Cookies\boy@ads.epochtimes[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@112.2o7[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@adserver[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@www.burstnet[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.adplan-ds[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@adserver.easyad[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@4.adbrite[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@hitbox[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@read[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@acronymfinder[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@total.t2click[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@server.iad.liveperson[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@xiti[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@rakuten.112.2o7[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads2.adserver-centrelinks-hk[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@clickaider[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@cgi-bin[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@yesex[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@mediamgr.ugo[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@burstnet[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@realmedia[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ads.veoh[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@mediaplex[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@revsci[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad1.clickhype[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@partypoker[2].txt
   C:\Documents and Settings\A\Cookies\a@ad-cross.co[1].txt
   C:\Documents and Settings\A\Cookies\a@ad-indicator[1].txt
   C:\Documents and Settings\A\Cookies\a@ad.yieldmanager[1].txt
   C:\Documents and Settings\A\Cookies\a@ad1.dmcmedia.co[1].txt
   C:\Documents and Settings\A\Cookies\a@atdmt[2].txt
   C:\Documents and Settings\A\Cookies\a@azjmp[2].txt
   C:\Documents and Settings\A\Cookies\a@doubleclick[1].txt
   C:\Documents and Settings\A\Cookies\a@hc2.humanclick[1].txt
   C:\Documents and Settings\A\Cookies\a@msnportal.112.2o7[1].txt
   C:\Documents and Settings\A\Cookies\a@mywebsearch[2].txt
   C:\Documents and Settings\A\Cookies\a@nac.nasmedia.co[1].txt
   C:\Documents and Settings\A\Cookies\a@nads6.nasads[2].txt
   C:\Documents and Settings\A\Cookies\a@overture[1].txt
   C:\Documents and Settings\A\Cookies\a@realmedia.co[1].txt
   C:\Documents and Settings\A\Cookies\a@realmedia[1].txt
   C:\Documents and Settings\A\Cookies\a@serving-sys[1].txt
   C:\Documents and Settings\A\Cookies\a@sonyhk.112.2o7[1].txt
   C:\Documents and Settings\A\Cookies\a@statcounter[2].txt
   C:\Documents and Settings\A\Cookies\a@tripod[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@ad.yieldmanager[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@adultfriendfinder[2].txt
   C:\Documents and Settings\Boy\Cookies\boy@pornaccess[1].txt
   C:\Documents and Settings\Boy\Cookies\boy@track[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@2o7[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@4.adbrite[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@a.websponsors[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.hinet[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.iconadserver[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.ntv.co[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.yieldmanager[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad.zanox[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ad1.emediate[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adbrite[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adimages.sina.com[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adinterax[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adrevolver[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adrevolver[3].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adrevolver[4].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ads.adbrite[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ads.manyway[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ads.pointroll[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adserver[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adtech[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@adultadworld[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@advertising[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@atdmt[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@atwola[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@audit.median[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@bluestreak[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@bobbibrown.mixmedia[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@bs.serving-sys[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@counter.hitslink[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@cupolaventures.112.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@custom-click[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@doubleclick[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@edge.ru4[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-deltatre.hitbox[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-dig.hitbox[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-gucciamericainc.hitbox[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-nokiafin.hitbox[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@ehg-technuity.hitbox[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@enhance[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@fastclick[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@hitbox[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@idea.t2click[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@langhamhotels.112.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@maxserving[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@media.adrevolver[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@mediaplex[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@msnportal.112.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@mywebsearch[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@nike.112.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@overture[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@perf.overture[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@publishers.clickbooth[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@questionmarket[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@realmedia[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@revsci[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@richmedia.yahoo[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@serving-sys[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[10].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[3].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[4].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[5].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[6].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[7].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@smileycentral[8].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@sonyhk.112.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@specificclick[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@standardcharteredbank.122.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@stat.onestat[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@statcounter[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@targetnet[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@tribalfusion[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@tripod[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@try.starware[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@valueclick.ne[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@vodafone.122.2o7[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@winantivirus[2].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@www.counters[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@www.itrafficads[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@xiti[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@yourmedia[1].txt
   C:\Documents and Settings\KH_CHAN\Cookies\kh_chan@zedo[2].txt

Offline philly12

  • Full Member
  • ***
  • Posts: 156
  • Boring federal gov worker (slave)
Re: Can anyone help ?
« Reply #13 on: January 31, 2008, 05:47:01 PM »
well you can go ahead and delete all the cookies (looks like you've been on porn sites..lol) from quarantine in Superantispyware but keep the mywebsearch and vundo infections in the quarantine.  Sigh, this is worse than i thought.  You have a vundo infection.

I think your hjt report was before your Superantispyware scan correct?? If so, could you post a new HJT report for us to examine and see what exactly the Superantispyware scan removed.  Please upload the HJT log by going clicking the "additional options" when posting and uploading your log to your post instead of posting the entire log on the forum.  SUPERantispyware does a good job, but it will prolly miss a few things.  Also, you will need to eventually download vundofix, but please wait for an avast admin to give you instructions on how to use it.  The admin may have you use combofix or some other program instead.  There are a few options to dealing with a vundo infection (i've had one myself).  Hopefully you'll get some real help soon, but i'll do my best in the meantime.

Offline Spiritsongs

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1757
  • Ad-aware orientated Support forum(s)
Adult/Porn Sites
« Reply #14 on: January 31, 2008, 09:47:09 PM »
 :)  Hi :

     According to the SUPERAntiSpyware log that was posted, there are at
     least 3 Users of this computer, and the One known as "boy" is going to
     Adult/Porn Sites, which dramatically increases the Chances of getting a
     very serious "Infection" . Would recommend this STOP to reduce this
     Possibility .

     The Norton antivirus "BootWarn" is still showing in the HJT log as "running";
      did you run the "Norton Removal Tool" ?
For the Best in what counts in Life :
www.tacf.org