Solved Windows updates problem [HJT log]

[Resolved]Windows updates problem [HJT log]

the result is as following:

Logfile of HijackThis v1.99.1
Scan saved at 21:42:43, on 19/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\shadow\ShadowService.exe
C:\windows\system32\slserv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {BF166239-69C6-37AD-2AFB-75469D2E2229} - xsetup.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WMC_AutoUpdate] ;
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [RunShadowTip] C:\WINDOWS\System32\shadow\ShadowTip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\windows\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\windows\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {BF69DF00-4734-477F-8257-27CD04F88779} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189911861128
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer = 85.255.115.91,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: NameServer = 85.255.115.91,85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer = 85.255.115.91,85.255.112.113
O20 - AppInit_DLLs: C:\WINDOWS\System32\systems.txt
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Shadow System Service (ShadowSystemService) - Unknown owner - C:\WINDOWS\System32\shadow\ShadowService.exe
O23 - Service: SmartLinkService (SLService) - - C:\windows\SYSTEM32\slserv.exe

are there any spy / virus? thx for ur help anyway!

 

Hi ben123456

OK lets start cleaning this up.

Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter ".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Next do this,

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

Please post the smitfraud log the Fixwareout log and a New HJT log.

Thanks
Geri

 

after fixed by fixwareout & SmitfraudFix, windows updates is solved, wallpaper can be changed, however, there is still a problem, i.e. it is too slow to boot my pc

laterest hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 8:18:42, on 21/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\windows\Explorer.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\windows\system32\slserv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {BF166239-69C6-37AD-2AFB-75469D2E2229} - xsetup.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Gnetmous] ; C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AutoMailChecker] ; C:\Program Files\STC\AutoMailChkr\MailChkr.exe
O4 - HKLM\..\Run: [CHotkey] ; mHotkey.exe
O4 - HKLM\..\Run: [Chrontel TV] ; C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [CJAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\ChangJie\CINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [clsport] ; C:\GPQ\clsport.exe
O4 - HKLM\..\Run: [FAhid] ; C:\GPQ\Fahid.exe
O4 - HKLM\..\Run: [ICQ Lite] ; C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [LOPTCON] ; bhoserv.exe
O4 - HKLM\..\Run: [newbreed] ; uio.exe
O4 - HKLM\..\Run: [PHAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SoundMan] ; soundman.exe
O4 - HKLM\..\Run: [SynTPEnh] ; C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] ; C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [windows auto update] ; msblast.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [browsebar] ; ssweeper.exe
O4 - HKCU\..\Run: [Spoolsv] ; C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [systemdll] ; Brong32.exe
O4 - HKCU\..\Run: [WinAVX] ; C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [Windows installer] ; C:\winstall.exe
O4 - HKCU\..\Run: [xxtoolbar] ; MsNetHelper.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {BF69DF00-4734-477F-8257-27CD04F88779} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189911861128
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer = 85.255.115.91,85.255.112.113
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: SmartLinkService (SLService) - - C:\windows\SYSTEM32\slserv.exe

 

ben123456,

So that the logs are available when Geri next comes online, please post the logs he requested from Fixwareout and SmitfraudFix.

Thanks!

 

SmitFraudFix v2.226

Scan done at 16:22:29.85, 2007/09/20 星期四
Run from C:\Documents and Settings\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

遙遙遙遙遙遙遙遙遙遙遙遙 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

遙遙遙遙遙遙遙遙遙遙遙遙 Killing process


遙遙遙遙遙遙遙遙遙遙遙遙 hosts


192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 www.avp.ch
192.168.200.3 www.avp.com
192.168.200.3 www.avp.ru
192.168.200.3 www.awaps.net
192.168.200.3 www.ca.com
192.168.200.3 www.f-secure.com
192.168.200.3 www.fastclick.net
192.168.200.3 www.grisoft.com
192.168.200.3 www.kaspersky-labs.com
192.168.200.3 www.kaspersky.com
192.168.200.3 www.kaspersky.ru
192.168.200.3 www.mcafee.com
192.168.200.3 www.my-etrust.com
192.168.200.3 www.nai.com
192.168.200.3 www.networkassociates.com
192.168.200.3 www.sophos.com
192.168.200.3 www.symantec.com
192.168.200.3 www.symantec.com
192.168.200.3 www.trendmicro.com
192.168.200.3 www.viruslist.com
192.168.200.3 www.viruslist.ru
192.168.200.3 www.virustotal.com
192.168.200.3 www3.ca.com

遙遙遙遙遙遙遙遙遙遙遙遙 Generic Renos Fix

GenericRenosFix by S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 Deleting infected files

C:\windows\system32\vtr???.dll Deleted
C:\Program Files\PestTrap\ Deleted

遙遙遙遙遙遙遙遙遙遙遙遙 DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CCS\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CCS\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CS1\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CS1\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CS3\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CS3\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS3\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20


遙遙遙遙遙遙遙遙遙遙遙遙 Deleting Temp Files


遙遙遙遙遙遙遙遙遙遙遙遙 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "= "csynd.exe "


遙遙遙遙遙遙遙遙遙遙遙遙 Registry Cleaning

Registry Cleaning done.

遙遙遙遙遙遙遙遙遙遙遙遙 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


遙遙遙遙遙遙遙遙遙遙遙遙 Reboot

C:\windows\system32\systems.txt Please, Reboot and Run SmitfraudFix option 2 once again.


遙遙遙遙遙遙遙遙遙遙遙遙 End

 

Username "user" - 9/2007 Thu 16:46:02 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.



~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system "=" "
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1dedoc" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llams_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ytpme" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "domdnb" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "orcimlh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "lavinraCputeS" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "emvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "dnysc" Value deleted
HKCR\CLSID\{3F3AAF2B-56A0-4FA6-BF6E-E702F841756E}\_h\4 Deleted.
....
~~~~~ Misc files.
C:\Documents and Settings\All Users\Favorites\AdultGambling.url Deleted
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url Deleted
C:\Documents and Settings\All Users\Favorites\Free Online Dating.url Deleted
C:\Documents and Settings\All Users\Favorites\**** Real Girls.url Deleted
C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url Deleted
C:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url Deleted
C:\Documents and Settings\All Users\Favorites\Online Chat With Nude Girls.url Deleted
C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url Deleted
C:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home..url Deleted
C:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url Deleted
C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url Deleted
C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url Deleted
C:\Documents and Settings\All Users\Favorites\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url Deleted
C:\Documents and Settings\All Users\Favorites\SPYWARE.url Deleted
C:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url Deleted
C:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Documents and Settings\All Users\Favorites\View ADULT photos of REAL GIRLS!.url Deleted
C:\Documents and Settings\All Users\Favorites\XXX personal photos.url Deleted
C:\windows\RDT.INI Deleted
C:\windows\System32\filesaver32.exe Deleted
C:\windows\System32\msblank.html Deleted
C:\windows\System32\winctrl16.exe Deleted
C:\windows\System32\winctrl32.exe Deleted
C:\Documents and Settings\All Users\Favorites\Online Pharmacy Deleted
C:\Documents and Settings\All Users\Favorites\Sex and Dating Deleted
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 "
"PHIME2002ASync "= "C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
"PHIME2002A "= "C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
"SiS KHooker "= "C:\\WINDOWS\\System32\\khooker.exe "
"WMC_AutoUpdate "= "; "
"Gnetmous "= "C:\\Program Files\\Samsung\\Samsung Optical Wheel Mouse\\gnetmous.exe "
"avgnt "= "\ "C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min "
"COMODO Firewall Pro "= "\ "C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background "
"RunShadowTip "= "C:\\WINDOWS\\System32\\shadow\\ShadowTip.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

 

Hi ben123456

Did you run smitfraud again? as instructed?

"C:\windows\system32\systems.txt Please, Reboot and Run SmitfraudFix option 2 once again. "

If not please do so.

Please post the new smitfraud log and a new HJT log also.

Thanks
Geri

 

SmitFraudFix v2.226

Scan done at 16:05:00.77, 2007/09/21 星期五
Run from C:\Documents and Settings\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

遙遙遙遙遙遙遙遙遙遙遙遙 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

遙遙遙遙遙遙遙遙遙遙遙遙 Killing process


遙遙遙遙遙遙遙遙遙遙遙遙 hosts

127.0.0.1 localhost

遙遙遙遙遙遙遙遙遙遙遙遙 Generic Renos Fix

GenericRenosFix by S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 Deleting infected files

C:\windows\system32\Delete_Me_Dummy_systems.txt Deleted

遙遙遙遙遙遙遙遙遙遙遙遙 DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CS1\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: NameServer=85.255.115.91,85.255.112.113
HKLM\SYSTEM\CS2\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS3\Services\Tcpip\..\{76CD953B-C5B1-480D-9FEC-37F9348D4C84}: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 203.186.94.22 203.186.94.20


遙遙遙遙遙遙遙遙遙遙遙遙 Deleting Temp Files


遙遙遙遙遙遙遙遙遙遙遙遙 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system "=" "


遙遙遙遙遙遙遙遙遙遙遙遙 Registry Cleaning

Registry Cleaning done.

遙遙遙遙遙遙遙遙遙遙遙遙 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


遙遙遙遙遙遙遙遙遙遙遙遙 End

 

Logfile of HijackThis v1.99.1
Scan saved at 下午 04:08:45, on 2007/9/21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\conime.exe
C:\windows\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Gnetmous] ; C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AutoMailChecker] ; C:\Program Files\STC\AutoMailChkr\MailChkr.exe
O4 - HKLM\..\Run: [CHotkey] ; mHotkey.exe
O4 - HKLM\..\Run: [Chrontel TV] ; C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [CJAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\ChangJie\CINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [clsport] ; C:\GPQ\clsport.exe
O4 - HKLM\..\Run: [FAhid] ; C:\GPQ\Fahid.exe
O4 - HKLM\..\Run: [ICQ Lite] ; C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [LOPTCON] ; bhoserv.exe
O4 - HKLM\..\Run: [newbreed] ; uio.exe
O4 - HKLM\..\Run: [PHAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SoundMan] ; soundman.exe
O4 - HKLM\..\Run: [SynTPEnh] ; C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] ; C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [windows auto update] ; msblast.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189911861128
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer = 85.255.115.91,85.255.112.113
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: SmartLinkService (SLService) - - C:\windows\SYSTEM32\slserv.exe

 

Hi ben123456

Please follow these instructions exactly as given.

Now download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the "Update now" link.
   • The update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
6. Under "Reports "
   • Select " Do Not Automatically generate reports "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Save Reports"
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [clsport] ; C:\GPQ\clsport.exe
O4 - HKLM\..\Run: [FAhid] ; C:\GPQ\Fahid.exe
O4 - HKLM\..\Run: [LOPTCON] ; bhoserv.exe
O4 - HKLM\..\Run: [newbreed] ; uio.exe
O4 - HKLM\..\Run: [windows auto update] ; msblast.exe
O17 - HKLM\System\CS1\Services\Tcpip\..\{630E88F4-0D45-49D9-A57A-0DE6C3E6D215}: NameServer = 85.255.115.91,85.255.112.113

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please Post the AVG AS log, The Panda log and a new HJT log.

Thanks
Geri

 

when i install AVG, there is a wrong message : 64 bit editions of windows is not supported
i use the laterset version, it is ok now

 

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 上午 09:14:06 2007/9/23

+ Scan result:



C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user\Cookies\user@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\user\Cookies\user@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\user\Cookies\user@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\user\Application Data\spoolsvc.dll -> Trojan.Agent.bip : Cleaned with backup (quarantined).


::Report end

 

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\SmitfraudFix\restart.exe
Virus:Trj/Agent.GAB Not disinfected C:\Driver_win9x\Automail\data1.cab[fngkhlib.dll]
Virus:Trj/Agent.GAB Not disinfected C:\Driver_win9x\Automail\data1.cab[fngmhlib.dll]
Virus:Trj/Agent.GAB Not disinfected C:\Driver_winxp\Automail\data1.cab[fngkhlib.dll]
Virus:Trj/Agent.GAB Not disinfected C:\Driver_winxp\Automail\data1.cab[fngmhlib.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

 

Logfile of HijackThis v1.99.1
Scan saved at 上午 10:14:48, on 2007/9/23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\windows\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\ctfmon.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Gnetmous] ; C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AutoMailChecker] ; C:\Program Files\STC\AutoMailChkr\MailChkr.exe
O4 - HKLM\..\Run: [CHotkey] ; mHotkey.exe
O4 - HKLM\..\Run: [Chrontel TV] ; C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [CJAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\ChangJie\CINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [ICQ Lite] ; C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [PHAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SoundMan] ; soundman.exe
O4 - HKLM\..\Run: [SynTPEnh] ; C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] ; C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189911861128
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\windows\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\System32\mshtml.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\windows\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\windows\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\windows\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: SmartLinkService (SLService) - - C:\windows\SYSTEM32\slserv.exe

 

Hi ben123456
Ok those logs look good.
The ones Panda are showing seem to be a false/positive so no worries there.

Please let me know how things are running. if eveything seems OK then we will begin the clean up.

Thanks
Geri

 

wallpaper can be changed, windows can be updates
the only problem is too slow to boot my pc
config : winxp sp2, AMD 1.5GHZ, 256mb ram (notebook)
Avira antivirus, Comodo firewall are started with my windows

 

Hi ben123456

OK, first let me give you this to check out.
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

There is some very good advice there.

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Do a defrag and check disk.
If you don't know how, let me know and I'll post instructions.

All the 04's in your HJT log are starting when you boot up.
These you can fix with HJT, they can be started manually when needed.
NOTE: You need to look them over to see if you use them often. and which ones "you " feel necessary to run at start up.


O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 <<Part of MS Input Method Editor which is used to ease the input of Asian characters in MS Office (Chinese, Korean and this one is Japanese)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC <<Part of Microsoft\'s Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName <<Part of Microsoft\'s Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AutoMailChecker] ; C:\Program Files\STC\AutoMailChkr\MailChkr.exe
O4 - HKLM\..\Run: [Chrontel TV] ; C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [CJAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\ChangJie\CINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [ICQ Lite] ; C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [PHAppletSync] ; C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /AppletSync
O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

You can delete AVG Anti-Spyware if you want to. Delete it from add/remove list instead of fixing it with HJT
If at anytime you want the ones you disabled with HJT, you can go to HJT backups and restore them. we killed some baddies with it, so be careful what you restore.

Now we need to do some clean up from the actions we did to clean your system.

You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.

These tool
smitfraud.exe
Fixwareout.exe

These folders/files
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\fixwareout


Please let me know if everything is OK, then I will give you some recommendations and I'll mark this thread Resolved.

Thanks
Geri

 

it is fasterer than before, it is still quite slow (i think) to start up
is the problem related to the firewall & antivirus started up with windows?
Nevertheless, thankyou for ur help!
you are a "電腦神 "--chinese word, means god of computer!

 

Hi ben123456

Your Firewall and AV may slow it down a bit, I'm not to familiar with AntiVir PersonalEdition but all AV's will run a check of your system at start up.

Make sure you keep all your temp files cleaned out and read up on that link I posted.

Glad to help out.

We have just a few more things to do, mostly maintenance and then our recommendations:

Delete all your cookies, and empty your recycle bin. (ATF Cleaner is good for this) But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
   
4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
   
5. IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
   and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
   
   
6. Install WinPatrol to prevent unknown applications from being inserted to start up on your machine
   
   Now just because you have security apps installed, they are useless unless updated regularly.
   
   
7. Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.
   
   
8. ATF Cleaner by Atribune.
   This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.
   
   
9. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
   
10. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    
11. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Surf Safely
Geri