iexplorer.exe virus

I face a problem..
i play any online game also will suddenly out to window because of this virus...
i using sp1...how to remove this virus..
please help me...

Logfile of HijackThis v1.99.1
Scan saved at 9:19:50 PM, on 11/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pohkuan\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E210D8CA-AF91-4039-9696-7DE2FA3C3FDA}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Clip Reporting - Unknown owner - C:\WINDOWS\cnd
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

 

Hello and welcome to WindowsBBS Forums.

Couple of things:

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible

I would ask if that HJT log you presented was one made while in safe mode? If so, please create a new one in 'normal mode'. Also, please be sure you have no items in the 'ignore' list, as we need to see a complete list of everything that's running on your system, no matter how inconsequential you think it is.

 

thanks for reply

i have follow what u say...
the following is take from "normal mode "

Logfile of HijackThis v1.99.1
Scan saved at 11:21:17 PM, on 11/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunOnce: [RUN1] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRADEFA2.DLL
O4 - HKLM\..\RunOnce: [RUN2] C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALRSHL.EXE /REGSERVER
O4 - HKLM\..\RunOnce: [RUN3] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSCL2.DLL
O4 - HKLM\..\RunOnce: [RUN4] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\IRALSCLT.DLL
O4 - HKLM\..\RunOnce: [RUN5] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRALSUI.DLL
O4 - HKLM\..\RunOnce: [RUN6] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\IRAVCOBJ.DLL
O4 - HKLM\..\RunOnce: [RUN7] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRCTRL.DLL
O4 - HKLM\..\RunOnce: [RUN8] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LRRES.DLL
O4 - HKLM\..\RunOnce: [RUN9] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSCTRL.DLL
O4 - HKLM\..\RunOnce: [RUNA] C:\WINDOWS\System32\regsvr32.exe /s C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\LSPLUGIN.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E210D8CA-AF91-4039-9696-7DE2FA3C3FDA}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Clip Reporting - Unknown owner - C:\WINDOWS\cnd
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe

 

Ok, well you have a very nice trim machine running, no extras.

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


First thing we need to do is stop Clip Reporting service:
Go to: Start > Run > type " services.msc ", then click OK

When the Services window appears scroll down to the Clip Reporting service.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.


I have a question about one of the programs which is referenced in your HJT log
Do you know what Blueserver is, it is in the 02 line a BHO:
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll

If this is a legit application, ignore all related fixes below.


Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINDOWS\System32\mysvcc.exe


Then hit your 'Start' button, select 'Control Panel' and click on 'Add or Remove Programs'. Then find the following programs and click the 'Change|Remove' button for each, if they are listed:
Blueserver


Open Hijackthis, select the 'Do a system scan only' button and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll


O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe

O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe


O17 - HKLM\System\CCS\Services\Tcpip\..\{E210D8CA-AF91-4039-9696-7DE2FA3C3FDA}: NameServer = 202.188.0.133 202.188.1.5 <<<This line refers to an IP located in Malasia, if this is your location, ignore this entry


O23 - Service: Clip Reporting - Unknown owner - C:\WINDOWS\cnd


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxesare check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\blueserver<<<<---this folder
C:\WINDOWS\System32\mysvcc.exe<<<--this file
C:\WINDOWS\cnd<<<--this file
mysvcc.exe<<<--this file


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

hi

i have follow carefully step by step but can't find the file below:
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe

O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{E210D8CA-AF91-4039-9696-7DE2FA3C3FDA}: NameServer = 202.188.0.133 202.188.1.5 <<<This line refers to an IP located in Malasia, if this is your location, ignore this entry

O23 - Service: Clip Reporting - Unknown owner - C:\WINDOWS\cnd

blueserver is a legit application, and i stay in malaysia.this is my new HJT log...
this time I enable all the startup program to make HJT log, hope its right
P/S-my english is poor, sorry about that.

Logfile of HijackThis v1.99.1
Scan saved at 10:27:33 PM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\WINDOWS\vsnppro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WebThunder] d:\Thunder Network\WebThunder\WebThunder.exe
O4 - HKLM\..\Run: [Tray] C:\WINDOWS\command\rundll32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [snppro] C:\WINDOWS\vsnppro.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe "
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [navpens] C:\WINDOWS\System32\agetltys.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [conime] C:\WINDOWS\conime.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe

 

Ok, looks as tho we have some new stuff here.

We're going tix a few things and have you run a couple of file searching tools as well.


Be sure to disable any realtime monitoring you have on board, like SuperAntiSpyware or the like. It may interfere with the fixing we do with HJT.


First download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Once that has been run:

Download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.


Then finally:
Run HJT, and place a check next to the following lines, some may no longer be present due to the other scans\procedures, then, with all browsers and windows closed, hit 'Fix checked':

O4 - HKLM\..\Run: [Tray] C:\WINDOWS\command\rundll32.exe

O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe

O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe

O4 - HKLM\..\Run: [navpens] C:\WINDOWS\System32\agetltys.exe

O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [conime] C:\WINDOWS\conime.exe

Reboot, into 'Safe mode',and search for, then delete, if found, the following files/folders:
C:\WINDOWS\down<<<<---this folder
C:\WINDOWS\command<<<<---this folder
C:\WINDOWS\conime.exe<<<--this file **Please note file path, there may be a legit file of same name, but in a different location on your computer.
C:\WINDOWS\System32\agetltys.exe<<<--this file
syshost.exe<<<--this file[/b]


Reboot and run HJT when back to Normal Mode post a new HJT log back into this thread please.

 

HI, it look quite complexity
I try my best to follow ur step...
below is the result...have a nice day

COMBOFIX

pohkuan - 06-11-30 15:19:32.17 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\pohkuan\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\pohkuan\Application Data\Install.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-10-30 to 2006-11-30 ))))))))))))))))))))))))))))))))))


2006-11-29 23:04 61,072 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-11-29 23:04 59,536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-11-29 23:03 <DIR> d-------- C:\Kaspersky Anti Virus Personal 5.0.383
2006-11-28 23:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2006-11-28 23:35 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\SUPERAntiSpyware.com
2006-11-28 23:17 <DIR> d-------- C:\HJT
2006-11-28 22:54 <DIR> d-------- C:\Program Files\Advanced Registry Doctor
2006-11-28 20:52 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\Lavasoft
2006-11-28 20:18 50,176 --a------ C:\WINDOWS\system32\msdll.dll
2006-11-28 17:25 <DIR> d--hs---- C:\FOUND.000
2006-11-28 16:27 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files(2)
2006-11-28 15:35 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\WinPatrol
2006-11-28 15:17 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-11-28 01:16 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\Uniblue
2006-11-28 00:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2006-11-28 00:51 <DIR> d-------- C:\Program Files\Registrar Registry Manager
2006-11-28 00:43 <DIR> d-------- C:\Program Files\Reg Organizer(2)
2006-11-28 00:30 <DIR> d-------- C:\Program Files\RegFix Mantra
2006-11-28 00:12 <DIR> d-------- C:\WINDOWS\Prefetch
2006-11-28 00:05 226,304 --a------ C:\WINDOWS\system32\srrstr.dll
2006-11-28 00:05 221,696 --a------ C:\WINDOWS\system32\qmgr.dll
2006-11-28 00:05 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-11-28 00:05 <DIR> d-------- C:\Program Files\Common Files\Services
2006-11-28 00:04 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-11-28 00:04 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-11-28 00:04 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-11-28 00:04 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-11-28 00:04 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-11-28 00:04 113,944 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-11-28 00:04 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-11-28 00:04 <DIR> d-------- C:\Program Files\ComPlus Applications
2006-11-28 00:01 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2006-11-27 23:59 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-11-27 23:59 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-11-27 00:16 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2006-11-27 00:16 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2006-11-27 00:16 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2006-11-27 00:16 272,256 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2006-11-27 00:16 18,560 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2006-11-27 00:16 13,568 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2006-11-27 00:16 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-11-27 00:16 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2006-11-27 00:16 <DIR> d-------- C:\Program Files\Prevx1
2006-11-27 00:16 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\Prevx
2006-11-27 00:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2006-11-26 23:52 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-26 23:52 367,104 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-26 23:52 14,704 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-26 20:51 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-26 20:51 104,144 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-26 20:51 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\Symantec
2006-11-26 11:54 <DIR> d-------- C:\Documents and Settings\pohkuan\www.google.com
2006-11-26 11:35 <DIR> d-------- C:\WINDOWS\inet20125
2006-11-25 15:25 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\Google
2006-11-25 15:19 137 --a------ C:\WINDOWS\system32\delmeexe.bat
2006-11-25 15:19 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2006-11-25 12:41 3,672 --a------ C:\WINDOWS\system32\norton.sys
2006-11-24 22:33 11,224 --a------ C:\WINDOWS\~tmp8645.exe
2006-11-24 19:40 42,496 --a------ C:\WINDOWS\tdll.dll
2006-11-24 19:31 40,448 --a------ C:\WINDOWS\system32\wldll.dll
2006-11-22 22:37 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2006-11-21 21:52 <DIR> d-------- C:\Documents and Settings\pohkuan\Application Data\Mozilla
2006-11-09 23:49 32,512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-11-09 23:48 114,330 --a------ C:\WINDOWS\system32\root2.exe
2006-11-09 23:47 236,544 --a------ C:\WINDOWS\system32\root1.exe
2006-11-08 22:02 39,936 --a------ C:\WINDOWS\rxdll.dll
2006-11-08 22:02 <DIR> d-------- C:\WINDOWS\down
2006-11-02 18:27 <DIR> d-------- C:\Program Files\Thunder Network


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-24 22:33 11224 --a------ C:\WINDOWS\~tmp8645.exe
2006-10-26 20:15 -------- d-------- C:\Program Files\Microsoft
2006-10-24 20:14 -------- d-------- C:\Documents and Settings\pohkuan\Application Data\Apple Computer
2006-10-24 20:05 -------- d-------- C:\Program Files\QuickTime
2006-09-30 19:12 -------- d-------- C:\Program Files\MP4 Converter
2006-09-16 01:16 24576 --a------ C:\WINDOWS\system32\DllReg.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"KAVPersonal50 "= "\ "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,90,01,00,00,00,00,00,00,90,01,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,90,01,00,00,00,00,00,00,90,01,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe "
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe "
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6E44887F-5214-41F2-AB46-4728735C4CC6} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.exe.lnk "
"backup "= "C:\\WINDOWS\\pss\\Adobe Gamma Loader.exe.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item "= "Adobe Gamma Loader.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk "
"backup "= "C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item "= "Adobe Reader Speed Launch "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk "
"backup "= "C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item "= "HP Digital Imaging Monitor "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk "
"backup "= "C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l "
"item "= "Microsoft Office "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Windows Desktop Search.lnk "
"backup "= "C:\\WINDOWS\\pss\\Windows Desktop Search.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MSNTOO~1\\DS\\020500~1.111\\en-us\\bin\\WINDOW~3.EXE /startup "
"item "= "Windows Desktop Search "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk "
"backup "= "C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item "= "WinZip Quick Pick "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "apdproxy "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\conime]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "conime "
"hkey "= "HKCU "
"command "= "C:\\WINDOWS\\conime.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ctfmon "
"hkey "= "HKCU "
"command "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "HPWuSchd2 "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "hpztsb12 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "IMJPMIG "
"hkey "= "HKLM "
"command "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "kav "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "dumprep 0 -k "
"hkey "= "HKLM "
"command "= "%systemroot%\\system32\\dumprep 0 -k "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows System]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "syshost "
"hkey "= "HKLM "
"command "= "syshost.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msnmsgr "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ImScInst "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navpens]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "agetltys "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\agetltys.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "NeroCheck "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "pccguide "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccguide.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "TINTSETP "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "TINTSETP "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "PXConsole "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Prevx1\\PXConsole.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\r]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "rundll32 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\down\\rundll32.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rzt]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "rundll32 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\Intel\\rundll32.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snppro]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "vsnppro "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\vsnppro.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Application Launcher "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\j2re1.4.2_02\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "rundll32 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\command\\rundll32.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebThunder]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "WebThunder "
"hkey "= "HKLM "
"command "= "d:\\Thunder Network\\WebThunder\\WebThunder.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "winampa "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Winamp\\winampa.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wl]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "svhost32 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\Download\\svhost32.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc "=dword:00000002
"wuauserv "=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-11-30 15:20:27.84
C:\ComboFix.txt ... 06-11-30 15:20

 

SILENT RUNNER

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Adobe Photo Downloader" = " "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" " [ "Adobe Systems Incorporated"]
"KAVPersonal50" = " "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize" [ "Kaspersky Lab"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = " "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll ",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper "
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" [ "Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}\(Default) = "Malicious Scripts Scanner "
-> {HKLM...CLSID} = "URLDetector Class "
\InProcServer32\(Default) = "C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll" [ "Prevx Ltd."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSN Search Toolbar Helper "
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search "
-> {HKLM...CLSID} = "Windows Desktop Search "
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\EXT\02.05.0001.1119\en-us\msnlExt.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar "
-> {HKLM...CLSID} = "MSN Search Deskbar "
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-us\deskbar.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" [ "Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" [ "Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]


Default executables:
--------------------

HKCU\Software\Classes\.bat\(Default) = (value not set)

HKCU\Software\Classes\.cmd\(Default) = (value not set)

HKCU\Software\Classes\.com\(Default) = (value not set)

HKCU\Software\Classes\.exe\(Default) = (value not set)

HKCU\Software\Classes\.hta\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\pohkuan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\pohkuan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "
-> {HKLM...CLSID} = "MSN Search Toolbar "
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "
-> {HKLM...CLSID} = "MSN Search Toolbar "
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88} "
-> {HKLM...CLSID} = "Yahoo! Toolbar "
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" [ "Yahoo! Inc."]
"{83EF376D-8874-4769-A2E7-7096480E7DEF} "
-> {HKLM...CLSID} = "blueserver toolbar "
\InProcServer32\(Default) = "C:\Program Files\blueserver\tbblu1.dll" [ "Conduit Ltd."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar "
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" [ "Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "MSN Search Toolbar "
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]
"{83EF376D-8874-4769-A2E7-7096480E7DEF}" = "blueserver Toolbar "
-> {HKLM...CLSID} = "blueserver toolbar "
\InProcServer32\(Default) = "C:\Program Files\blueserver\tbblu1.dll" [ "Conduit Ltd."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501} "
-> {HKLM...CLSID} = "Web Browser Applet Control "
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Messenger "
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" [ "HP"]
Prevx Agent, PREVXAgent, " "C:\Program Files\Prevx1\PXAgent.exe" -f" [ "Prevx"]
Registry Management Service, RegManServ, "C:\Program Files\Advanced Registry Doctor\RegManServ.exe" [null data]
Remote Procedure Call System(RPCS), RpcS, "C:\WINDOWS\System32\RpcS.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" [ "Hewlett Packard"]
hpzsnt12\Driver = "hpzsnt12.dll" [ "HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 89 seconds.
---------- (total run time: 276 seconds)


HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:47:48 PM, on 11/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\WINDOWS\vsnppro.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WebThunder] d:\Thunder Network\WebThunder\WebThunder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [snppro] C:\WINDOWS\vsnppro.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe

 

By the side, i have using prevx1, it can detect iexplorer.exe & blocked it...
And i check about it, what it showing is as below...is this a virus?

Date/Time
11/30/2006 - 5:21:39 PM
Event
Internet Explorer has been blocked from modifying physical memory.
Vendor
Microsoft Corporation
Version
Internet Explorer

IEXPLORE.EXEDetermination: Good
IEXPLORE.EXE
AUTOMATED SOFTWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
DEFINITION OF: IEXPLORE.EXE
Safety Rating: Safe
First seen: Jul 8 2005 (GMT)
Last seen: Today (GMT)
File Size: 91,136 bytes
Concerns about your PC security? We help thousands of new users every day to rid their PC of high risk spyware, adware, trojan, virus and rootkit infections
You can use Prevx1 to ensure your PC really is safe. Click here to download Prevx1 for your free system health check
SOFTWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY
1. COVERT ANALYSIS OF: IEXPLORE.EXE
File Names Used: 367
Paths Used: 402
Common File Name: IEXPLORE.EXE
Common Path: %PROGRAMFILES%\INTERNET EXPLORER\
Vendor Information: Microsoft Corporation
Product Information: Internet Explorer
Version Information: 6.00.2800.1106
IEXPLORE.EXE may use 367 or more path and file names, these are the most common:
1 :%PROGRAMFILES%\INTERNET EXPLORER\EWIDO-SETUP[1].EXE
2 :%PROGRAMFILES%\INTERNET EXPLORER\FLASHMENU138_PATCH_FOR_UGURU.....EXE
3 :%PROGRAMFILES%\INTERNET EXPLORER\GRAPCON6.EXE
4 :%PROGRAMFILES%\INTERNET EXPLORER\IEXPLOREPON.EXE
5 :%PROGRAMFILES%\INTERNET EXPLORER\INTERNET EXPLORER.EXE
6 :%PROGRAMFILES%\INTERNET EXPLORER\LPHANT-V2.01-INSTALLER.EXE
7 :%PROGRAMFILES%\INTERNET EXPLORER\RW2_021_W02_ITA.EXE
8 :%PROGRAMFILES%\INTERNET EXPLORER\WR2_DEMO_SKODA.EXE
9 :%PROGRAMFILES%\INTERNET EXPLORER\XPSP1_DE_X86.EXE
10:%PROGRAMFILES%\INTERNET EXPLORER\YPHOTOS_SETUP_FR[1].EXE
File Name Structure: Normal
File and Path Structure: Suspicious, unusually high number of file and path combinations
2. RELATIONSHIP ANALYSIS OF: IEXPLORE.EXE
Malicious Objects Created: 12615 objects
Malicious Creators: 74
Malware Run Keys: Creates registry run keys for known malware objects
Self Persists: Yes, creates copies of itself
Antivirus Detection: Yes, detected by one or more 3rd party Antivirus product
Anti-Spyware Detection: Yes, detected by one or more 3rd party Anti-Spyware product
3. ACTIVITY ANALYSIS OF: IEXPLORE.EXE
The following behaviors have been observed for this object:
Installs programs.
Deletes programs.
Invokes activex components.
Invokes dll components.
Registers Browser Help Objects.
Creates Run Keys.
Creates Run Once Keys.
Modifies the hostsfile.
Runs other programs.
Runs temporary programs.
Runs other programs.
Violates physical memory protection.
Communicates with web sites using httpout protocols.
Has mass mail capabilities.
Communicates with other computers across the web.
Scans active processes.
Modifies Browser Search Settings.
Modifies Browser Home Page Settings.
Modifies Browser Toolbar Settings.
Modifies the Windows Restore Area.
Changes file execution mappings.
Terminates processes.
Hijacks running processes.
Participates in chat rooms.
Has outbound communications.
Inspects email address books.
Sends mail using your email program.
Transmits files using FTP protocols.
Installs programs to run as a service.
Could log keystrokes.
Creates registry entries.
Creates run keys for known malware.
Creates cautioned software.
Creates known malware.
Creates copies of itself.
Modifies Vulnerable System Files.
4. PROPAGATION ANALYSIS OF: IEXPLORE.EXE
Object Propagation Rate: Very Low (minimal spread)
Copyright Prevx Limited 2005, 2006

 

Ok, looks like we found some more nasties.

Lets take 'em out!

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\msdll.dll
C:\FOUND.000
C:\WINDOWS\inet20125
C:\WINDOWS\system32\delmeexe.bat
C:\WINDOWS\system32\norton.sys
C:\WINDOWS\~tmp8645.exe
C:\WINDOWS\tdll.dll
C:\WINDOWS\system32\wldll.dll
C:\WINDOWS\system32\ImageOle.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\root2.exe
C:\WINDOWS\system32\root1.exe
C:\WINDOWS\rxdll.dll
C:\WINDOWS\down
C:\WINDOWS\~tmp8645.exe
C:\WINDOWS\Download\svhost32.exe

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white "Delete File" button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not reboot yet.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

thanks thanks thanks

very happy the virus had beat by you....
now my computer are safe..
thanks for help me solve the problem...
really want to say thousand thanks to you....
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks
thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks

 

I still need those logs, we need to be sure everything is gone.

 

Hi, The latest logfile...
everything is ok?

Logfile of HijackThis v1.99.1
Scan saved at 12:42:39 PM, on 12/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E210D8CA-AF91-4039-9696-7DE2FA3C3FDA}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

 

HJT log appears to be ok, but we still need a new ComboFix log, thats the tool that found alot of the junk.