TheTechGuide Forum
General Category => Tech Clinic => Topic started by: forzamilan on September 17, 2006, 05:07:29 AM
-
when i installing a new program,'i tunes',a window jump out and i cant continue the installation
"Cannot load library for language 'VBScript'
Path:'C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll'"
can somebody tell me what is my problem??
-
Do you have Norton's still installed on this computer
What happens if you disable script blocking?
If you don't, what version of Norton's did you have installed?
-
i just uninstall my norton and install karpersky,i duno what happened
-
What exact version of Norton's did you have installed?
Additionally, can you do the following
From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe
Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
-
Logfile of HijackThis v1.99.1
Scan saved at 11:29:21 PM, on 9/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\jj4\jiajiasr.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Teo\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://seek.3721.com/srchasst.htm (http://\"http://seek.3721.com/srchasst.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.yisou.com/srchasst.htm (http://\"http://seek.yisou.com/srchasst.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.yisou.com/srchcust.htm (http://\"http://seek.yisou.com/srchcust.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R3 - URLSearchHook: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [PPGou.exe] C:\PROGRA~1\PPGou2\PPGou.exe Auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [dkbmf] C:\WINDOWS\System32\hvpsei.exe reg_run
O4 - HKCU\..\Run: [Arua] "C:\WINDOWS\System32\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [jiajiasr] C:\Program Files\jj4\jiajiasr.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: &ʹÓÃƨƨ¹·[PPGou]¼ÓËÙÏÂÔØ - C:\PROGRA~1\PPGou2\geturl.htm
O8 - Extra context menu item: &ʹÓÃƨƨ¹·[PPGou]ÏÂÔØÈ«²¿Á´½Ó - C:\PROGRA~1\PPGou2\getAll.htm
O8 - Extra context menu item: ???? - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Ìí¼Óµ½ÑÅ»¢¶©ÔÄ(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Teo\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (http://\"http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg\") (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab (http://\"https://www.e-games.com.my/com/EGamesPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150613442203 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150613442203\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{78EB42CA-A42E-4706-B0A9-C243E0F65736}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
thats all
-
Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.zip\") and save it to your Desktop.
Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. >>I'll need to see this log later
NEXT:
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post back all the following, even if it takes more than one reply to do so
1. Post the log that opens after running Combofix
2. Post the log from SDFix>>Report.txt
3. Post a fresh hijackthis log
-
Teo - 06-09-20 2:55:41.84 Service Pack 1
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Teo\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\WINDOWS\system32\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1\?racle
((((((((((((((((((((((((((((((( Files Created from 2006-08-20 to 2006-09-20 ))))))))))))))))))))))))))))))))))
2006-09-18 05:30 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-09-10 01:07 1,500,160 --a------ C:\WINDOWS\system32\cc3260mt.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-20 02:54 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-20 02:33 -------- d-------- C:\Program Files\TClock
2006-09-20 02:04 -------- d-------- C:\Program Files\NJStar Communicator
2006-09-18 06:23 -------- d-------- C:\Program Files\a-squared
2006-09-18 05:47 -------- d-------- C:\Program Files\Windows Media Player
2006-09-18 05:30 -------- d-------- C:\Program Files\MsnMusic
2006-09-18 05:21 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-16 06:25 -------- d-------- C:\Documents and Settings\Teo\Application Data\Skype
2006-09-16 03:58 -------- d-------- C:\Program Files\jj4
2006-09-12 06:55 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 06:18 -------- d-------- C:\Program Files\Warcraft III
2006-09-09 23:06 -------- d---s---- C:\Documents and Settings\Teo\Application Data\Microsoft
2006-08-27 00:10 14848 --a------ C:\WINDOWS\system32\drivers\6679828.sys
2006-08-26 20:22 -------- d-------- C:\Documents and Settings\Teo\Application Data\IMVU
2006-08-25 14:29 -------- d-------- C:\Program Files\IMVU
2006-08-25 13:21 14848 --a------ C:\WINDOWS\system32\drivers\584750.sys
2006-08-25 13:19 -------- d-------- C:\Program Files\LimeWire
2006-08-24 17:01 -------- d-------- C:\Program Files\Common Files
2006-08-24 16:33 -------- d-------- C:\Program Files\BT Engine
2006-08-24 15:32 -------- d-------- C:\Program Files\Yahoo!
2006-08-13 01:05 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-08-13 01:05 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-08-10 14:58 0 --a------ C:\WINDOWS\system32\setup_47167.exe
2006-08-10 13:18 -------- d-------- C:\Program Files\IGS
2006-08-09 17:33 -------- d-------- C:\Documents and Settings\Teo\Application Data\Sun
2006-08-09 17:32 -------- d-------- C:\Program Files\Java
2006-08-09 16:40 -------- d-------- C:\Program Files\BitComet
2006-08-09 16:33 -------- d-------- C:\Program Files\AWinstall
2006-08-08 14:37 -------- d-------- C:\Program Files\BeautyStrike1.6
2006-08-04 20:10 0 --a------ C:\WINDOWS\system32\cmmgr32.exe
2006-08-04 19:26 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-08-04 19:26 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-08-04 19:26 -------- d-------- C:\Documents and Settings\Teo\Application Data\SUPERAntiSpyware.com
2006-08-04 19:12 -------- d-------- C:\Program Files\EA GAMES
2006-08-03 16:56 0 --a------ C:\WINDOWS\system32\setup_60308.exe
2006-08-03 15:32 -------- d-------- C:\Program Files\Kaspersky Lab
2006-08-03 15:30 -------- d-------- C:\Program Files\WinRAR
2006-08-03 14:34 -------- d-------- C:\Documents and Settings\Teo\Application Data\Mozilla
2006-07-24 18:55 -------- d-------- C:\Documents and Settings\Teo\Application Data\Yahoo!
2006-07-21 01:30 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-18 10:53 32768 --a------ C:\WINDOWS\system32\cns.dll
2006-07-18 10:53 28672 --a------ C:\WINDOWS\system32\cns.exe
2006-07-13 01:50 595968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2006-07-07 22:34 472 --a------ C:\WINDOWS\SysPPHash.dll
2006-07-07 22:34 2285 --a------ C:\WINDOWS\SysPPMultThd.dll
2006-07-07 22:30 24 --a------ C:\WINDOWS\PPGRefererURL.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Arua"="\"C:\\WINDOWS\\System32\\RACLE~1\\nopdb.exe\" -vt yazr"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"jiajiasr"="C:\\Program Files\\jj4\\jiajiasr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"RaidTool"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"9xadiras"="9xadiras.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Drag'n'Drop_Autolaunch"="\"C:\\Program Files\\Iomega HotBurn Pro\\Autolaunch.exe\""
"Windows Recylinder Check"="yfsdkvowcq.exe"
"YLive.exe"="C:\\PROGRA~1\\Yahoo!\\ASSIST~1\\YLive.exe"
"yassistse"="\"C:\\PROGRA~1\\Yahoo!\\Assistant\\yassistse.exe\""
"PPGou.exe"="C:\\PROGRA~1\\PPGou2\\PPGou.exe Auto"
"StormCodec_Helper"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"KAVPersonal50"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe /minimize"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows Recylinder Check"="yfsdkvowcq.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Completion time: Wed 09/20/2006 2:55:57.01
ComboFix.txt
SDFix: Version 1.25
-------------------
Wed 09/20/2006
02:30 AM
Microsoft Windows XP [Version 5.1.2600]
Running from: C:\Documents and Settings\Teo\Desktop\SDFix
Stage One...
Checking Services...
Name:
-----
Windows Spool Service
Path:
----
"C:\WINDOWS\wdfmgr.exe"
Windows Spool Service ... deleted
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting!
Stage Two...
Registry Cleaning Finished...
Checking For Malware Files:
--------------------------
C:\WINDOWS\system32\i
Backing Up and Removing any Files Found...
Final Check:
Remaining Services:
------------------
Remaining Files:
--------------
*If Malware was detected, the files are stored in the SDFix\Backup Folder !
*FINISHED*
Logfile of HijackThis v1.99.1
Scan saved at 2:53:40 AM, on 9/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\jj4\jiajiasr.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Teo\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://seek.3721.com/srchasst.htm (http://\"http://seek.3721.com/srchasst.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.yisou.com/srchasst.htm (http://\"http://seek.yisou.com/srchasst.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.yisou.com/srchcust.htm (http://\"http://seek.yisou.com/srchcust.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com\")
R3 - URLSearchHook: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [PPGou.exe] C:\PROGRA~1\PPGou2\PPGou.exe Auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Arua] "C:\WINDOWS\System32\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [jiajiasr] C:\Program Files\jj4\jiajiasr.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: &ʹÓÃƨƨ¹·[PPGou]¼ÓËÙÏÂÔØ - C:\PROGRA~1\PPGou2\geturl.htm
O8 - Extra context menu item: &ʹÓÃƨƨ¹·[PPGou]ÏÂÔØÈ«²¿Á´½Ó - C:\PROGRA~1\PPGou2\getAll.htm
O8 - Extra context menu item: ???? - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Ìí¼Óµ½ÑÅ»¢¶©ÔÄ(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Teo\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (http://\"http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg\") (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab (http://\"https://www.e-games.com.my/com/EGamesPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150613442203 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150613442203\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
-
WHAT VERSION OF NORTONS DID YOU HAVE INSTALLED?
Can you do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKCU\..\Run: [Arua] "C:\WINDOWS\System32\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [jiajiasr] C:\Program Files\jj4\jiajiasr.exe
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Download and save too desktop
F-Secure Blacklight(blbeta.exe) (http://\"https://europe.f-secure.com/exclude/blacklight/blbeta.exe\")
Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log
BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".
Post the log please
Also
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\system32\drivers\[color=\"#000099\"]6679828.sys[/color] <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for these files too please
C:\WINDOWS\system32\drivers\[color=\"#000099\"]584750.sys[/color]
C:\Program Files\jj4\[color=\"#000099\"]jiajiasr.exe[/color]
C:\WINDOWS\system32\[color=\"#000099\"]setup_47167.exe[/color]
Did you intentionally install CHINESE KEYWORDS?
One last request
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as find.bat
Save this file on the desktop
@echo off
regedit /e C:\cp.reg "HKEY_CURRENT_USER\Software\Microsoft\OLE"
more C:\cp.reg >> C:\Display.txt
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
more C:\cp.reg >> C:\Display.txt
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
more C:\cp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\cp.reg
del /q C:\Display.txt
Double click on find.bat, a text file will open, copy>>paste back here the contents also please