Author Topic: VBScript (Read 612 times)

forzamilan · « **on:** September 17, 2006, 05:07:29 AM »

when i installing a new program,'i tunes',a window jump out and i cant continue the installation

"Cannot load library for language 'VBScript'
Path:'C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll'"

can somebody tell me what is my problem??

guestolo · « **Reply #1 on:** September 17, 2006, 11:49:47 AM »

Do you have Norton's still installed on this computer
What happens if you disable script blocking?
If you don't, what version of Norton's did you have installed?

forzamilan · « **Reply #2 on:** September 18, 2006, 07:02:56 AM »

i just uninstall my norton and install karpersky,i duno what happened

guestolo · « **Reply #3 on:** September 18, 2006, 08:46:31 AM »

What exact version of Norton's did you have installed?

Additionally, can you do the following
From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

forzamilan · « **Reply #4 on:** September 19, 2006, 01:30:28 AM »

Logfile of HijackThis v1.99.1
Scan saved at 11:29:21 PM, on 9/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\jj4\jiajiasr.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Teo\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://seek.3721.com/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.yisou.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.yisou.com/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [PPGou.exe] C:\PROGRA~1\PPGou2\PPGou.exe Auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [dkbmf] C:\WINDOWS\System32\hvpsei.exe reg_run
O4 - HKCU\..\Run: [Arua] "C:\WINDOWS\System32\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [jiajiasr] C:\Program Files\jj4\jiajiasr.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: &Ê¹ÓÃÆ¨Æ¨¹·[PPGou]¼ÓËÙÏÂÔØ - C:\PROGRA~1\PPGou2\geturl.htm
O8 - Extra context menu item: &Ê¹ÓÃÆ¨Æ¨¹·[PPGou]ÏÂÔØÈ«²¿Á´½Ó - C:\PROGRA~1\PPGou2\getAll.htm
O8 - Extra context menu item:

? - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Ìí¼Óµ½ÑÅ»¢¶©ÔÄ(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Teo\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150613442203
O17 - HKLM\System\CCS\Services\Tcpip\..\{78EB42CA-A42E-4706-B0A9-C243E0F65736}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)

thats all

guestolo · « **Reply #5 on:** September 19, 2006, 09:06:22 AM »

Download [color=\"red\"]SDFix[/color] and save it to your Desktop.

Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. >>I'll need to see this log later

NEXT:
Download this file - Combofix.exe and save it too desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back all the following, even if it takes more than one reply to do so

1. Post the log that opens after running Combofix
2. Post the log from SDFix>>Report.txt
3. Post a fresh hijackthis log

forzamilan · « **Reply #6 on:** September 20, 2006, 04:58:54 AM »

Teo - 06-09-20 2:55:41.84 Service Pack 1
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Teo\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1\?racle

((((((((((((((((((((((((((((((( Files Created from 2006-08-20 to 2006-09-20 ))))))))))))))))))))))))))))))))))

2006-09-18   05:30   245,408   --a------   C:\WINDOWS\system32\unicows.dll
2006-09-10   01:07   1,500,160   --a------   C:\WINDOWS\system32\cc3260mt.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-20 02:54   --------   d--------   C:\Program Files\Mozilla Firefox
2006-09-20 02:33   --------   d--------   C:\Program Files\TClock
2006-09-20 02:04   --------   d--------   C:\Program Files\NJStar Communicator
2006-09-18 06:23   --------   d--------   C:\Program Files\a-squared
2006-09-18 05:47   --------   d--------   C:\Program Files\Windows Media Player
2006-09-18 05:30   --------   d--------   C:\Program Files\MsnMusic
2006-09-18 05:21   --------   d--------   C:\Program Files\SpywareBlaster
2006-09-16 06:25   --------   d--------   C:\Documents and Settings\Teo\Application Data\Skype
2006-09-16 03:58   --------   d--------   C:\Program Files\jj4
2006-09-12 06:55   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-09-12 06:18   --------   d--------   C:\Program Files\Warcraft III
2006-09-09 23:06   --------   d---s----   C:\Documents and Settings\Teo\Application Data\Microsoft
2006-08-27 00:10   14848   --a------   C:\WINDOWS\system32\drivers\6679828.sys
2006-08-26 20:22   --------   d--------   C:\Documents and Settings\Teo\Application Data\IMVU
2006-08-25 14:29   --------   d--------   C:\Program Files\IMVU
2006-08-25 13:21   14848   --a------   C:\WINDOWS\system32\drivers\584750.sys
2006-08-25 13:19   --------   d--------   C:\Program Files\LimeWire
2006-08-24 17:01   --------   d--------   C:\Program Files\Common Files
2006-08-24 16:33   --------   d--------   C:\Program Files\BT Engine
2006-08-24 15:32   --------   d--------   C:\Program Files\Yahoo!
2006-08-13 01:05   2829   --a------   C:\WINDOWS\War3Unin.pif
2006-08-13 01:05   139264   --a------   C:\WINDOWS\War3Unin.exe
2006-08-10 14:58   0   --a------   C:\WINDOWS\system32\setup_47167.exe
2006-08-10 13:18   --------   d--------   C:\Program Files\IGS
2006-08-09 17:33   --------   d--------   C:\Documents and Settings\Teo\Application Data\Sun
2006-08-09 17:32   --------   d--------   C:\Program Files\Java
2006-08-09 16:40   --------   d--------   C:\Program Files\BitComet
2006-08-09 16:33   --------   d--------   C:\Program Files\AWinstall
2006-08-08 14:37   --------   d--------   C:\Program Files\BeautyStrike1.6
2006-08-04 20:10   0   --a------   C:\WINDOWS\system32\cmmgr32.exe
2006-08-04 19:26   --------   d--------   C:\Program Files\SUPERAntiSpyware
2006-08-04 19:26   --------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2006-08-04 19:26   --------   d--------   C:\Documents and Settings\Teo\Application Data\SUPERAntiSpyware.com
2006-08-04 19:12   --------   d--------   C:\Program Files\EA GAMES
2006-08-03 16:56   0   --a------   C:\WINDOWS\system32\setup_60308.exe
2006-08-03 15:32   --------   d--------   C:\Program Files\Kaspersky Lab
2006-08-03 15:30   --------   d--------   C:\Program Files\WinRAR
2006-08-03 14:34   --------   d--------   C:\Documents and Settings\Teo\Application Data\Mozilla
2006-07-24 18:55   --------   d--------   C:\Documents and Settings\Teo\Application Data\Yahoo!
2006-07-21 01:30   72704   --a------   C:\WINDOWS\system32\hlink.dll
2006-07-18 10:53   32768   --a------   C:\WINDOWS\system32\cns.dll
2006-07-18 10:53   28672   --a------   C:\WINDOWS\system32\cns.exe
2006-07-13 01:50   595968   --a------   C:\WINDOWS\system32\xpsp2res.dll
2006-07-07 22:34   472   --a------   C:\WINDOWS\SysPPHash.dll
2006-07-07 22:34   2285   --a------   C:\WINDOWS\SysPPMultThd.dll
2006-07-07 22:30   24   --a------   C:\WINDOWS\PPGRefererURL.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Arua"="\"C:\\WINDOWS\\System32\\RACLE~1\\nopdb.exe\" -vt yazr"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"jiajiasr"="C:\\Program Files\\jj4\\jiajiasr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"RaidTool"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"9xadiras"="9xadiras.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Drag'n'Drop_Autolaunch"="\"C:\\Program Files\\Iomega HotBurn Pro\\Autolaunch.exe\""
"Windows Recylinder Check"="yfsdkvowcq.exe"
"YLive.exe"="C:\\PROGRA~1\\Yahoo!\\ASSIST~1\\YLive.exe"
"yassistse"="\"C:\\PROGRA~1\\Yahoo!\\Assistant\\yassistse.exe\""
"PPGou.exe"="C:\\PROGRA~1\\PPGou2\\PPGou.exe Auto"
"StormCodec_Helper"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"KAVPersonal50"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe /minimize"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows Recylinder Check"="yfsdkvowcq.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Wed 09/20/2006 2:55:57.01
ComboFix.txt

SDFix: Version 1.25
-------------------

Wed 09/20/2006
02:30 AM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Teo\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

Windows Spool Service

Path:
----

"C:\WINDOWS\wdfmgr.exe"

Windows Spool Service ... deleted

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
--------------------------

C:\WINDOWS\system32\i

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------

Remaining Files:
--------------

*If Malware was detected, the files are stored in the SDFix\Backup Folder !

*FINISHED*

Logfile of HijackThis v1.99.1
Scan saved at 2:53:40 AM, on 9/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\jj4\jiajiasr.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Teo\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://seek.3721.com/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.yisou.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.yisou.com/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: ÑÅ»¢ÖúÊÖ - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [PPGou.exe] C:\PROGRA~1\PPGou2\PPGou.exe Auto
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Arua] "C:\WINDOWS\System32\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [jiajiasr] C:\Program Files\jj4\jiajiasr.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: &Ê¹ÓÃÆ¨Æ¨¹·[PPGou]¼ÓËÙÏÂÔØ - C:\PROGRA~1\PPGou2\geturl.htm
O8 - Extra context menu item: &Ê¹ÓÃÆ¨Æ¨¹·[PPGou]ÏÂÔØÈ«²¿Á´½Ó - C:\PROGRA~1\PPGou2\getAll.htm
O8 - Extra context menu item:

? - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: Ìí¼Óµ½ÑÅ»¢¶©ÔÄ(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Teo\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?sourc...mp;btn=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150613442203
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

guestolo · « **Reply #7 on:** September 20, 2006, 01:15:29 PM »

WHAT VERSION OF NORTONS DID YOU HAVE INSTALLED?

Can you do the following

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] yfsdkvowcq.exe
O4 - HKCU\..\Run: [Arua] "C:\WINDOWS\System32\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [jiajiasr] C:\Program Files\jj4\jiajiasr.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".
Post the log please

Also
Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive

C:\WINDOWS\system32\drivers\[color=\"#000099\"]6679828.sys[/color] <-this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for these files too please

C:\WINDOWS\system32\drivers\[color=\"#000099\"]584750.sys[/color]
C:\Program Files\jj4\[color=\"#000099\"]jiajiasr.exe[/color]
C:\WINDOWS\system32\[color=\"#000099\"]setup_47167.exe[/color]

Did you intentionally install CHINESE KEYWORDS?

One last request
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as find.bat

Save this file on the desktop

Code: [Select]

@echo off
regedit /e C:\cp.reg "HKEY_CURRENT_USER\Software\Microsoft\OLE"
more C:\cp.reg >> C:\Display.txt
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
more C:\cp.reg >> C:\Display.txt
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
more C:\cp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\cp.reg
del /q C:\Display.txt

Double click on find.bat, a text file will open, copy>>paste back here the contents also please

TheTechGuide Forum

News:

Author Topic: VBScript (Read 612 times)

forzamilan

VBScript

guestolo

VBScript

forzamilan

VBScript

guestolo

VBScript

forzamilan

VBScript

guestolo

VBScript

forzamilan

VBScript

guestolo

VBScript