Help! me to remove the trojan

Please help me. I am a blind beginner.

When I was surveying some websites, McAfee reminds my computer is infected with some trojan. As everything looks fines, I do not put much attention on it. But then I cannot open the links in the websites and cannot even open "my computer ". Please do help me to remove the trojan(s).

Here is the report of HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 18:56:21, on 09/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
D:\Program Files\jj4\jjsvr4.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\BTTotalBroadband220V\Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg "
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Microsoft] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [pyjj] D:\Program Files\jj4\jjsvr4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe
O8 - Extra context menu item: &使用比邻下载(&B) - C:\Documents and Settings\Tianxi Wang\blin\ctxmenu.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

Hi Foodbird

Can you tell me what trojan it detects?

Are you located in China?

Do you use this instant messeging program?
Tencent

Do you know what this is?
D:\Program Files\jj4\jjsvr4.exe

If you don,t know please do the following.
Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • D:\Program Files\jj4\jjsvr4.exe
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Thanks a lot Geri. Here is the report:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: jjsvr4.exe
Status: OK
MD5: e34c1cc835cefe1992ba1224c0f8f543
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 09 Sep 2007 22:27:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: Ver.0.8.rar (MD5: 99e6ec987a4be1b83861b2ddd1963073, size: 306198 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus Mal/Basine-C
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

 

And now I cannot open a link or a folder.

 

Hi again, Foodbird.

I quoted the above in case you forgot to answer Geri's other three questions.

 

Thanks mailman.
--------------------
Hi Foodbird
Please answer my questions.

Please do this.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please post the main.txt for now.

Thanks
Geri

 

Hi, mailman and Geri,

I am a Chinese, but now I am in UK. My computer was bought in UK.

I cannot remember what trojan McAfree warns. As I am happy to see that warning window, I just close it.

What is "this instant messaging program--Tencent "?

 

I just do what Geri told me to do. Here is the main report

Deckard's System Scanner v20070905.67
Run by Tianxi Wang on 2007-09-10 11:47:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2007-09-10 10:47:49 UTC - RP2 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 367 MiB (512 MiB recommended).
System Drive C: has 0.75 GiB (less than 15%) free.


-- HijackThis (run as Tianxi Wang.exe) -----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-10 11:49:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
D:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\BTTotalBroadband220V\Help\SmartBridge\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\jj4\jjsvr4.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\BTTotalBroadband220V\Help\bin\mpbtn.exe
D:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\Program Files\FlashGet\Jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKEY_LOCAL_MACHINE\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKEY_LOCAL_MACHINE\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg "
O4 - HKEY_LOCAL_MACHINE\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [TP4EX] tp4ex.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [Microsoft] C:\WINDOWS\System32\iexplore.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKEY_LOCAL_MACHINE\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKEY_LOCAL_MACHINE\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [pyjj] D:\Program Files\jj4\jjsvr4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe
O8 - Extra context menu item: &使用比邻下载(&B) - C:\Documents and Settings\Tianxi Wang\blin\ctxmenu.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - "D:\Program Files\Network Associates\VirusScan\Mcshield.exe "
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - "D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe "
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\system32\QCONSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe


-- File Associations -----------------------------------------------------------

.chm - chm.file - shell\open\command - "hh.exe" %1
.ini - inifile - shell\open\command - C:\WINDOWS\System32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; McAfee, Inc; VirusScan>
R3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>

S2 npkcrypt - c:\program files\tencent\qq\npkcrypt.sys (file missing)
S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - d:\progra~1\belkin\belkin~1.11g\dnindis5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McTaskManager (Network Associates Task Manager) - "d:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 QCONSVC - system32\qconsvc.exe

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-08 22:03:48 500 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
2007-03-04 13:04:58 362 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2007-08-10 and 2007-09-10 -----------------------------

2007-09-08 22:57:56 4628 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-08 22:03:42 0 d------c- C:\Documents and Settings\Tianxi Wang\Application Data\SpywareBot
2007-09-08 22:03:11 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-09-08 22:02:58 0 d-------- C:\Program Files\SpywareBot
2007-09-04 01:51:14 1343592 --a------ C:\WINDOWS\UnInstall.dll <Not Verified; ; UnInstall BT Voyager 220V Dynamic Link Library>
2007-09-04 01:51:12 0 d-------- C:\Program Files\British Telecom
2007-09-04 01:49:50 0 d------c- C:\Documents and Settings\Tianxi Wang\Application Data\InstallShield
2007-09-04 01:49:37 0 d-------- C:\WINDOWS\220V.0000
2007-09-04 01:49:34 0 d-------- C:\WINDOWS\tmp.0000
2007-09-04 01:48:47 0 d-------- C:\Program Files\BT Broadband Talk Softphone
2007-09-04 01:48:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-09-04 01:47:09 86016 --a------ C:\WINDOWS\system32\YPcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>
2007-09-04 01:47:09 131072 --a------ C:\WINDOWS\system32\ypclsp.dll <Not Verified; Yahoo! Inc.; Yahoo! YPCLSP>
2007-09-04 01:46:36 0 d------c- C:\Documents and Settings\Tianxi Wang\Application Data\Yahoo!
2007-09-04 01:43:46 0 d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-04 01:42:48 65536 --a------ C:\WINDOWS\system32\YCRWin32.dll <Not Verified; ; YCRWin32 Module>
2007-09-04 01:42:41 84992 --a------ C:\WINDOWS\system32\ATL70.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2007-09-04 01:42:14 0 d-------- C:\Program Files\Yahoo!
2007-09-04 01:42:05 0 d-------- C:\WINDOWS\Motive
2007-09-04 01:41:33 0 d-------- C:\Program Files\btbb_wcm
2007-09-04 01:41:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Motive
2007-09-04 01:40:59 0 d-------- C:\Program Files\Common Files\Motive
2007-09-04 01:39:52 0 d-------- C:\Program Files\BTTotalBroadband220V
2007-09-04 01:39:51 0 d-------- C:\Program Files\Motive


-- Find3M Report ---------------------------------------------------------------

2007-09-04 01:51:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-04 01:40:59 0 d-------- C:\Program Files\Common Files
2007-07-13 02:02:58 0 d------c- C:\Documents and Settings\Tianxi Wang\Application Data\Tencent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2 "= "S3Tray2.exe" [12/10/2001 07:32 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv "= "tp4serv.exe" [03/12/2002 12:09 C:\WINDOWS\system32\tp4serv.exe]
"ATIModeChange "= "Ati2mdxx.exe" [05/09/2001 01:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent "= "irprops.cpl" [04/08/2004 08:56 C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [22/01/2003 00:05]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [17/01/2003 10:32]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [17/01/2003 10:32]
"BCONSET "= "regedit /s C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" []
"QCWLICON "= "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [08/01/2003 11:50]
"TPKMAPMN "= "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [17/02/2003 09:30]
"TP4EX "= "tp4ex.exe" [04/09/2002 10:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [24/12/2002 11:01]
"AGRSMMSG "= "AGRSMMSG.exe" [21/11/2002 23:17 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [14/12/2002 19:03]
"UC_SMB "=" " []
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [07/01/2003 23:52]
"Acrobat Assistant 7.0 "= "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [14/12/2004 11:12]
"@ "=" " []
"Microsoft "= "C:\WINDOWS\System32\iexplore.exe" []
"StormCodec_Helper "= "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [05/12/2005 19:08]
"IMSCMig "= "C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [14/07/2003 23:57]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [17/11/2006 03:06]
"ShStatEXE "= "D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 20:00]
"Network Associates Error Reporting Service "= "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 09:48]
"Motive SmartBridge "= "C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe" [06/02/2006 18:52]
"btbb_wcm_McciTrayApp "= "C:\Program Files\btbb_wcm\McciTrayApp.exe" [08/12/2006 07:45]
"YBrowser "= "C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [21/07/2006 16:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [07/01/2003 23:52]
"pyjj "= "D:\Program Files\jj4\jjsvr4.exe" [29/12/2005 15:23]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [31/08/2005 17:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe [31/01/2006 16:40:37]
BT Broadband Desktop Help.lnk - C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe [04/09/2007 01:40:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1abfca03-4d71-11dc-afce-00061bc9e2c2}]
play\command- "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33c0f0a2-078b-11dc-af6e-00061bc9e2c2}]
verb1\command- Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{773fea03-93d8-11da-ad97-00061bc9e2c2}]
verb1\command- G:\Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{773fea04-93d8-11da-ad97-00061bc9e2c2}]
verb1\command- H:\Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat




-- End of Deckard's System Scanner: finished at 2007-09-10 11:50:44 ------------

 

And here is extra.tex:

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 366.98 MiB / 147.52 MiB
Pagefile Memory (total/avail): 886.48 MiB / 628.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1966.25 MiB

C: is Fixed (NTFS) - 6 GiB total, 0.75 GiB free.
D: is Fixed (NTFS) - 4 GiB total, 0.31 GiB free.
E: is Fixed (NTFS) - 5.75 GiB total, 0.41 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HITACHI_DK23EA-20B - 15.75 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 6 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 9.75 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\\Program Files\\BitTorrent\\bittorrent.exe "= "D:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent "
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe "= "C:\\Program Files\\Support.com\\Bin\\tgcmd.exe:*isabled:Support.com Scheduler and Command Dispatcher "
"C:\\Program Files\\Messenger\\msmsgs.exe "= "C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"D:\\Program Files\\BitTorrent\\btdownloadgui.exe "= "D:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:BitTorrent "
"C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe "= "C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe:*:EnabledE "
"D:\\Program Files\\eMule\\emule.exe "= "D:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule "
"C:\\Documents and Settings\\Tianxi Wang\\blin\\blin.exe "= "C:\\Documents and Settings\\Tianxi Wang\\blin\\blin.exe:*:Enabled:blin "
"C:\\Program Files\\Windows Media Player\\wmplayer.exe "= "C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe "= "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service "
"C:\\Program Files\\Tencent\\QQ\\QQ.exe "= "C:\\Program Files\\Tencent\\QQ\\QQ.exe:*:Enabled:QQ "
"C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe "= "C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe:*:Enabled:QzoneClient1.2Beta04 V01.2.104.040 "
"C:\\Program Files\\Tencent\\QQDownload\\QQDownload.exe "= "C:\\Program Files\\Tencent\\QQDownload\\QQDownload.exe:*isabled:超级旋风 "
"C:\\Program Files\\Tencent\\QQDownload\\QDAutoUpdate.exe "= "C:\\Program Files\\Tencent\\QQDownload\\QDAutoUpdate.exe:*isabled:AutoUpdate Module "
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger "
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Tianxi Wang\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ZHIDAWUXING
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Tianxi Wang
LOGONSERVER=\\ZHIDAWUXING
MuPAD_SWP_250=C:\swp50\MuPAD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\TIANXI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\TIANXI~1\LOCALS~1\Temp
USERDOMAIN=ZHIDAWUXING
USERNAME=Tianxi Wang
USERPROFILE=C:\Documents and Settings\Tianxi Wang
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Tianxi Wang (admin)
Yan Li (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\BTTOTA~1\Help\Uninstall.exe btbb
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /X{31C2FBAC-67CF-4093-8F36-15A146613747}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access IBM --> MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Access IBM Message Center --> MsiExec.exe /X{710C0BB2-FE39-484E-BB23-C9B96835A14A}
Access IBM Tools --> C:\Program Files\IBM\Access IBM\IBMUINST.EXE
Adobe Acrobat 7.0 Professional - ChineseS --> msiexec /I {AC76BA86-2052-0000-7760-100000000002}
Agere Systems AC'97 Modem --> agrsmdel
alm --> MsiExec.exe /I{CF44C7A5-5705-41E4-BE84-A9A42977AB05}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
ATI HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
BitTorrent Plus! --> D:\Program Files\BitTorrent\uninst.exe
BT Broadband Desktop Help --> C:\WINDOWS\Motive\btbb\MCCUninst.exe
BT Broadband Talk Softphone 2.0 --> "C:\Program Files\BT Broadband Talk Softphone\unins000.exe "
BT Voyager 220V USB Driver --> C:\Program Files\InstallShield Installation Information\{D35D2AB6-E86B-4A9A-92DB-88E9CE49D619}\Setup.exe -runfromtemp -l0x0009 -removeonly FORCE_UNINSTALL
BT Wireless Connection Manager --> C:\Program Files\Common Files\Motive\InstallHelper.exe /dir=C:\Program Files\Common Files\Motive /uninstallvendor=btbb_wcm /uninstallkey=BT Wireless Connection Manager
BT Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
BTTotalBroadband220V --> C:\Program Files\BTTotalBroadband220V\Uninstall.exe
FlashGet(JetCar) --> D:\PROGRA~1\FlashGet\UNWISE.EXE D:\PROGRA~1\FlashGet\INSTALL.LOG
Hijackthis 1.99.1 --> "D:\Program Files\Hijackthis\unins000.exe "
HijackThis 1.99.1 --> D:\Program Files\Hijackthis\HijackThis.exe /uninstall
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anything
IBM Rapid Restore PC Setup --> MsiExec.exe /X{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\ThinkPad\Utilities\Unbmm.isu" -c "C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll "
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c "C:\Program Files\ThinkPad\Utilities\Tpinswin.dll "
IBM ThinkPad EasyEject Utility --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unezej.isu -c "C:\Program Files\ThinkPad\Utilities\Tpinsej.dll "
IBM ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x9 anything
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c "C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll "
IBM TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
IBM TrackPoint Support --> C:\WINDOWS\System32\tp4unins.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Merriam-Webster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{861AF642-2DD2-11D4-801E-0050DA5E65F2}\Setup.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110804-6000-11D3-8CFE-0150048383C9}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Powerword 2003 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{988EA0EA-E702-4106-8953-BF9E13DF0AED}\setup.exe"
PPLive 1.1.0.7 --> D:\PROGRA~1\PPLIVE~1\Setup.exe /remove
Scientific WorkPlace 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA6B13CF-A177-42DF-B416-A1EFDD8E7693}\Setup.exe" -l0x9
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe "
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe "
Storm Codec --> D:\Program Files\Ringz Studio\Storm Codec\uninst.exe
Synacast Plug-in 1.1.0.7 --> C:\Program Files\Common Files\Synacast\SynaLive\uninst.exe
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Software Installer --> _tpiu000.exe /U
TPNala Wallpaper --> MsiExec.exe /I{F1F721BF-040C-4096-988A-1DB01EB73B0C}
VideoLAN VLC media player 0.8.5 --> D:\Program Files\VideoLAN\VLC\uninstall.exe
VobSub v2.23 (Remove Only) --> "D:\Program Files\Gabest\VobSub\uninstall.exe "
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
XP Themes --> MsiExec.exe /I{93FD93BA-7C5A-4090-BF9D-F9EA3B9044C3}
加加输入法4.0 --> MsiExec.exe /I{CA621C9F-E22F-4CE0-8094-77B7196A9161}


-- Application Event Log -------------------------------------------------------

Event Record #/Type4143 / Warning
Event Submitted/Written: 09/10/2007 11:50:29 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ZHIDAWUXING IP 192.168.1.2 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type4142 / Warning
Event Submitted/Written: 09/10/2007 11:50:28 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ZHIDAWUXING IP 192.168.1.2 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type4139 / Error
Event Submitted/Written: 09/09/2007 10:20:00 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Script execution blocked ('_').(from ZHIDAWUXING IP 192.168.1.2 user ZHIDAWUXING\Tianxi Wang running VirusScan Enter 8.0 OAS)

Event Record #/Type4138 / Error
Event Submitted/Written: 09/09/2007 10:20:00 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\Documents and Settings\Tianxi Wang\Local Settings\Temporary Internet Files\Content.IE5\G9Q7OH6N\setup[1].htm is infected with the VBS/Psyme Trojan. Undetermined clean error, quarantine failed. Detected using Scan engine version 5200 DAT version 5115.(from ZHIDAWUXING IP 192.168.1.2 user ZHIDAWUXING\Tianxi Wang running VirusScan Enter 8.0 OAS)

Event Record #/Type4133 / Error
Event Submitted/Written: 09/09/2007 05:33:41 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Script execution blocked ('_').(from ZHIDAWUXING IP 192.168.1.2 user ZHIDAWUXING\Tianxi Wang running VirusScan Enter 8.0 OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24256 / Warning
Event Submitted/Written: 09/10/2007 10:44:33 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type24248 / Warning
Event Submitted/Written: 09/10/2007 10:14:13 AM / 09/10/2007 10:15:11 AM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Fast Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type24237 / Error
Event Submitted/Written: 09/10/2007 10:15:05 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%3

Event Record #/Type24229 / Error
Event Submitted/Written: 09/09/2007 11:43:32 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} did not register with DCOM within the required timeout.

Event Record #/Type24228 / Error
Event Submitted/Written: 09/09/2007 11:41:32 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2007-09-10 11:50:44 ------------

 

By the way, the two files looks lengthy and disorder. How could you find use information from them? Could you teach me how to read them so that the next time I can proceed by myself without bothering you guys?

 

Hi, Foodbird.

Thanks for following up on Geri's questions/instructions. Malware recognition and removal often requires significant study and training. Deckard's System Scanner is a tool used by malware-removal experts to assist them with removing malware. Even though the output does not make a lot of sense to many of us, the experts know how to interpret the information.

Malware often must be removed in a certain way/order so I advise you to wait for instructions from an expert before proceeding further.

You appear to at least have a rogue/suspect "anti-spyware" application (SpywareBot) installed in your computer. Unfortunately, I did not find a reliable method to remove the application so I expect an expert will have to guide you through the process for your computer.

 

Thanks, mailman.

I do not know when and how I install the application. I only install the applications recommended by friends or the bbs here. Do you mean the recommendations here are not reliable?

 

mailman simply means that you can't be taught everything required to decipher these logs in a matter of a few posts or tutorials, or even a few days. It take a very long time to learn all the things to look for. You will not be requested to do anything harmful to your computer by myself or Geri, or any other long-standing member of this community. If ever in doubt about recommendations you have been given here pertaining to malware removal, don't hesitate to question it. If you're still uncomfortable with the advice after that, you are always free to ignore it.

Uninstall SpywareBot from the Add/Remove programs list in the Control Panel.


Back to you Geri.

 

It is possible the "SpywareBot" application was secretly installed without your explicit permission to install. Malware is known for being "tricky ".

I doubt anyone at Windows BBS recommended you install "SpywareBot ". If anyone did, then I expect other people would quickly warn you against doing so.

According to Spyware Warrior's "Rogue/Suspect Anti-Spyware Products & Web Sites" list, "SpywareBot" exploits (takes advantage of) the trustworthy "Spybot Search & Destroy" application name to trick people into using/trusting the rogue/suspect "SpywareBot ".

 

Hi Foodbird

Please note: Malware removal is difficult in a language I understand, doing so when most results come back in a language I don't undestand makes it that much harder.
I will do the best I can here.

I would suggest you remove any and all P2P file sharing programs. This is a excellent source of infections.

Please Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please look at this before deleting any of the Tencent entries below.
http://en.wikipedia.org/wiki/QQ
Now do you know what it is?

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O8 - Extra context menu item: &使用比邻下载(&B) - C:\Documents and Settings\Tianxi Wang\blin\ctxmenu.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm


Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot your computer.

Please post the combofix log and a new HJT log.

Thanks
Geri

 

Thanks, Geri.

Now I understand what is instant messaging program. I do not use any of them.

Here is the ComboFix report:

ComboFix 07-09-10.6 - "Tianxi Wang" 2007-09-11 11:41:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.145 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\TIANXI~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\PSP8EJX8\www.inter-focus.cn
C:\DOCUME~1\TIANXI~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\PSP8EJX8\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\DOCUME~1\TIANXI~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\DOCUME~1\TIANXI~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 11:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 11:47 <DIR> d-------- C:\Deckard
2007-09-08 22:57 4,628 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-08 22:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-08 22:03 <DIR> d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\SpywareBot
2007-09-08 22:02 <DIR> d-------- C:\Program Files\SpywareBot
2007-09-04 01:51 1,343,592 --a------ C:\WINDOWS\UnInstall.dll
2007-09-04 01:51 <DIR> d-------- C:\Program Files\British Telecom
2007-09-04 01:49 <DIR> d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\InstallShield
2007-09-04 01:49 <DIR> d-------- C:\WINDOWS\tmp.0000
2007-09-04 01:49 <DIR> d-------- C:\WINDOWS\220V.0000
2007-09-04 01:48 <DIR> d-------- C:\Program Files\BT Broadband Talk Softphone
2007-09-04 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-04 01:47 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2007-09-04 01:47 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2007-09-04 01:46 <DIR> d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\Yahoo!
2007-09-04 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-09-04 01:42 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-09-04 01:42 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-09-04 01:42 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-09-04 01:42 <DIR> d-------- C:\WINDOWS\Motive
2007-09-04 01:42 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-04 01:41 <DIR> d-------- C:\Program Files\btbb_wcm
2007-09-04 01:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-09-04 01:40 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-09-04 01:39 <DIR> d-------- C:\Program Files\Motive
2007-09-04 01:39 <DIR> d-------- C:\Program Files\BTTotalBroadband220V

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-04 01:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 07:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 02:02 --------- d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\Tencent
2007-07-13 00:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 15:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2 "= "S3Tray2.exe" [2001-10-12 07:32 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv "= "tp4serv.exe" [2002-12-03 12:09 C:\WINDOWS\system32\tp4serv.exe]
"ATIModeChange "= "Ati2mdxx.exe" [2001-09-05 01:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent "= "irprops.cpl" [2004-08-04 08:56 C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-01-22 00:05]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 10:32]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 10:32]
"BCONSET "= "regedit /s C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" []
"QCWLICON "= "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-01-08 11:50]
"TPKMAPMN "= "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003-02-17 09:30]
"TP4EX "= "tp4ex.exe" [2002-09-04 10:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 11:01]
"AGRSMMSG "= "AGRSMMSG.exe" [2002-11-21 23:17 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-12-14 19:03]
"UC_SMB "=" " []
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 23:52]
"Acrobat Assistant 7.0 "= "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 11:12]
"StormCodec_Helper "= "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2005-12-05 19:08]
"IMSCMig "= "C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [2003-07-14 23:57]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06]
"ShStatEXE "= "D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"Network Associates Error Reporting Service "= "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"Motive SmartBridge "= "C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52]
"btbb_wcm_McciTrayApp "= "C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-08 07:45]
"YBrowser "= "C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 23:52]
"pyjj "= "D:\Program Files\jj4\jjsvr4.exe" [2005-12-29 15:23]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 17:11]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe [2006-01-31 16:40:37]
BT Broadband Desktop Help.lnk - C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe [2007-09-04 01:40:04]

R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\D:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1abfca03-4d71-11dc-afce-00061bc9e2c2}]
play\command- "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33c0f0a2-078b-11dc-af6e-00061bc9e2c2}]
verb1\command- Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{773fea03-93d8-11da-ad97-00061bc9e2c2}]
verb1\command- G:\Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{773fea04-93d8-11da-ad97-00061bc9e2c2}]
verb1\command- H:\Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat

*Newly Created Service* - CATCHME
*Newly Created Service* - ENTDRV51
*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-03-04 12:04:58 C:\WINDOWS\Tasks\BMMTask.job "
"2007-09-08 21:03:48 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job "
- C:\Program Files\SpywareBot\SpywareBot.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 11:44:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 11:46:36
C:\ComboFix-quarantined-files.txt ... 2007-09-11 11:46
.
--- E O F ---

 

Here is HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:16, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
D:\Program Files\jj4\jjsvr4.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\BTTotalBroadband220V\Help\bin\mpbtn.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
D:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg "
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [pyjj] D:\Program Files\jj4\jjsvr4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe
O8 - Extra context menu item: &使用比邻下载(&B) - C:\Documents and Settings\Tianxi Wang\blin\ctxmenu.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 转换为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

Here is the new HijackThis report, after I fixed the items as Geri instructs and then reboot my computer.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:56, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
D:\Program Files\jj4\jjsvr4.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\BTTotalBroadband220V\Help\bin\mpbtn.exe
D:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg "
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [StormCodec_Helper] "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe "
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [pyjj] D:\Program Files\jj4\jjsvr4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

Trojan caught by MaAfee

Just few minutes ago, McAfee reports the following trojan that it fails to clean (move).

Name: setup[1].htm
In Folder: C:\Document and Settings\Tianxi Wang\Local Settings\Temporary Internet Files\Content.IE5\OXQ1LC8U

Hope it is useful to experts.

 

Hi Foodbird

Please submit this file to Jotti's. Please post the reults in your next reply.

C:\WINDOWS\UnInstall.dll

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

If you have any Flash drives (USB thumb drives) plug them in before doing this.

• Double-click Flash_Disinfector.exe to run it.
  Follow any prompts that may appear.
  Your desktop will vanish for a while, and then reappear. This is normal.
  Wait until the program has finished scanning, then please exit the program.

Open "NotePad" Copy the contents of the quote box below to the blank NotePad.

Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Download
OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please post a new combofix log and the Jotti report.

Thanks
Geri