help!!

Discussion in 'adware, spyware & hijack cleaning' started by l1pse, May 15, 2004.

Thread Status:
Not open for further replies.
  1. l1pse

    l1pse Registered Member

    Joined:
    May 15, 2004
    Posts:
    3
    i think i have spyware on my comp. please help me get rid of this. it would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:09:22 AM, on 5/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\wdskctl.exe
    C:\Program Files\Common Files\slmss\slmss.exe
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\docume~1\jimmy\locals~1\temp\jlZS1.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\docume~1\hoangu~1\locals~1\temp\HDL.exe
    C:\Program Files\STC\SQ_3394_3222.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\rundll16.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\PROGRA~1\logo extra view\Phone stop.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\kkrys.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Documents and Settings\hoanguyen\Application Data\rcnp.exe
    C:\WINDOWS\System32\wnsapisv.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\YzDock\YzDock.exe
    C:\Documents and Settings\hoanguyen\Application Data\DownloadPlus.exe
    C:\WINDOWS\System32\YjsA12v.exe
    C:\WINDOWS\System32\Zpygzf5.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\hoanguyen\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: pkipkiii˜i˜i*i*i ˆiii˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: i˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: @@
    O1 - Hosts: x
    O1 - Hosts: xb
    O1 - Hosts: x
    O1 - Hosts: pd
    O1 - Hosts: x
    O1 - Hosts: ¨j
    O1 - Hosts: ¨j
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: ˜_
    O1 - Hosts: ˜_
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: pË
    O1 - Hosts: pË
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts:  ˆ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: àÞ
    O1 - Hosts: àÞ
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: *
    O1 - Hosts: *
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: ۮ
    O1 - Hosts: ۮ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O3 - Toolbar: KnobMeal - {3C3B66EF-3E2A-275A-D057-29B190395CC9} - C:\PROGRA~1\AIMPOK~1\info cast.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Atitask] Atiptaaa.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\sbnet\ShowBehind.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [lgzosivp] C:\WINDOWS\pjwewkhl.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbatesrun.exe /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [jlZS1] C:\docume~1\jimmy\locals~1\temp\jlZS1.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
    O4 - HKLM\..\Run: [HDL] C:\docume~1\hoangu~1\locals~1\temp\HDL.exe
    O4 - HKLM\..\Run: [lJf] C:\docume~1\hoangu~1\locals~1\temp\lJf.exe
    O4 - HKLM\..\Run: [GhYtx6] C:\docume~1\hoangu~1\locals~1\temp\GhYtx6.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SQInstall] C:\Program Files\STC\SQ_3394_3222.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [3#B4YKH3SJ59EK] C:\WINDOWS\System32\LsyI62.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R
    O4 - HKLM\..\Run: [Thunk time] C:\PROGRA~1\logo extra view\Phone stop.exe
    O4 - HKLM\..\Run: [AutoLoaderqsv71ISlWKXL] "C:\WINDOWS\System32\vssup_incred_4.exe" /PC="AM.ICMD" /HideUninstall /HideDir
    O4 - HKLM\..\Run: [qF4h36P] kkrys.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\Fmempro.exe" Startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Atta] C:\Documents and Settings\hoanguyen\Application Data\rcnp.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
    O4 - Startup: ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Startup: YzDock.lnk = C:\Program Files\YzDock\YzDock.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\hoanguyen\Application Data\DownloadPlus.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/jmyhndrX.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/download/cabs/BANN8005/stoppop.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthsmakamai/systemsoappro.cab
    O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelocity.com/speedblaster3/SpeedBlasterT_3.0.7_B3.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/eng/oneclick/uninstbb.cab
    O16 - DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} (DownloadUL Class) - http://public.searchbarcash.com/cab/039/nezqauyr.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/bridge.cab
    O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD47573-66DE-4439-81FC-3E19CB0DA5B4}: NameServer = 198.6.100.150 198.6.1.150
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi l1pse,

    First, download and run: Peper uninstaller

    Before you start using HijackThis please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O1 - Hosts: pkipkiii˜i˜i*i*i ˆiii˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: i˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: @@
    O1 - Hosts: x
    O1 - Hosts: xb
    O1 - Hosts: x
    O1 - Hosts: pd
    O1 - Hosts: x
    O1 - Hosts: ¨j
    O1 - Hosts: ¨j
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: ˜_
    O1 - Hosts: ˜_
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: pË
    O1 - Hosts: pË
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts:  ˆ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: àÞ
    O1 - Hosts: àÞ
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: *
    O1 - Hosts: *
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: ۮ
    O1 - Hosts: ۮ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O3 - Toolbar: KnobMeal - {3C3B66EF-3E2A-275A-D057-29B190395CC9} - C:\PROGRA~1\AIMPOK~1\info cast.dll

    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\sbnet\ShowBehind.exe

    O4 - HKLM\..\Run: [lgzosivp] C:\WINDOWS\pjwewkhl.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbatesrun.exe /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [jlZS1] C:\docume~1\jimmy\locals~1\temp\jlZS1.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
    O4 - HKLM\..\Run: [HDL] C:\docume~1\hoangu~1\locals~1\temp\HDL.exe
    O4 - HKLM\..\Run: [lJf] C:\docume~1\hoangu~1\locals~1\temp\lJf.exe
    O4 - HKLM\..\Run: [GhYtx6] C:\docume~1\hoangu~1\locals~1\temp\GhYtx6.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SQInstall] C:\Program Files\STC\SQ_3394_3222.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe

    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R
    O4 - HKLM\..\Run: [Thunk time] C:\PROGRA~1\logo extra view\Phone stop.exe
    O4 - HKLM\..\Run: [AutoLoaderqsv71ISlWKXL] "C:\WINDOWS\System32\vssup_incred_4.exe" /PC="AM.ICMD" /HideUninstall /HideDir
    O4 - HKLM\..\Run: [qF4h36P] kkrys.exe

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Atta] C:\Documents and Settings\hoanguyen\Application Data\rcnp.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\hoanguyen\Application Data\DownloadPlus.exe

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/jmyhndrX.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/download/cabs/BANN8005/stoppop.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab

    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthsmakamai/systemsoappro.cab
    O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelocity.com/speedblaster3/SpeedBlasterT_3.0.7_B3.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab

    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/eng/oneclick/uninstbb.cab
    O16 - DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} (DownloadUL Class) - http://public.searchbarcash.com/cab/039/nezqauyr.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/bridge.cab
    O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx

    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE

    Then reboot and use AdAware and Spybot S&D as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then do an online virusscan, you will find several listed here: http://www.wilders.org/free_services_m.htm

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.