help!!

Discussion in 'adware, spyware & hijack cleaning' started by l1pse, May 15, 2004.

Thread Status:
Not open for further replies.
  1. l1pse

    l1pse Registered Member

    Joined:
    May 15, 2004
    Posts:
    3
    i think i have spyware on my comp. please help me get rid of this. it would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:09:22 AM, on 5/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\wdskctl.exe
    C:\Program Files\Common Files\slmss\slmss.exe
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\docume~1\jimmy\locals~1\temp\jlZS1.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\docume~1\hoangu~1\locals~1\temp\HDL.exe
    C:\Program Files\STC\SQ_3394_3222.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\rundll16.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\PROGRA~1\logo extra view\Phone stop.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\kkrys.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Documents and Settings\hoanguyen\Application Data\rcnp.exe
    C:\WINDOWS\System32\wnsapisv.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\YzDock\YzDock.exe
    C:\Documents and Settings\hoanguyen\Application Data\DownloadPlus.exe
    C:\WINDOWS\System32\YjsA12v.exe
    C:\WINDOWS\System32\Zpygzf5.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\hoanguyen\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: pkipkiii˜i˜i*i*i ˆiii˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: i˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: @@
    O1 - Hosts: x
    O1 - Hosts: xb
    O1 - Hosts: x
    O1 - Hosts: pd
    O1 - Hosts: x
    O1 - Hosts: ¨j
    O1 - Hosts: ¨j
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: ˜_
    O1 - Hosts: ˜_
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: pË
    O1 - Hosts: pË
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts:  ˆ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: àÞ
    O1 - Hosts: àÞ
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: *
    O1 - Hosts: *
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: ۮ
    O1 - Hosts: ۮ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O3 - Toolbar: KnobMeal - {3C3B66EF-3E2A-275A-D057-29B190395CC9} - C:\PROGRA~1\AIMPOK~1\info cast.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Atitask] Atiptaaa.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\sbnet\ShowBehind.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [lgzosivp] C:\WINDOWS\pjwewkhl.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbatesrun.exe /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [jlZS1] C:\docume~1\jimmy\locals~1\temp\jlZS1.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
    O4 - HKLM\..\Run: [HDL] C:\docume~1\hoangu~1\locals~1\temp\HDL.exe
    O4 - HKLM\..\Run: [lJf] C:\docume~1\hoangu~1\locals~1\temp\lJf.exe
    O4 - HKLM\..\Run: [GhYtx6] C:\docume~1\hoangu~1\locals~1\temp\GhYtx6.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SQInstall] C:\Program Files\STC\SQ_3394_3222.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [3#B4YKH3SJ59EK] C:\WINDOWS\System32\LsyI62.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R
    O4 - HKLM\..\Run: [Thunk time] C:\PROGRA~1\logo extra view\Phone stop.exe
    O4 - HKLM\..\Run: [AutoLoaderqsv71ISlWKXL] "C:\WINDOWS\System32\vssup_incred_4.exe" /PC="AM.ICMD" /HideUninstall /HideDir
    O4 - HKLM\..\Run: [qF4h36P] kkrys.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\Fmempro.exe" Startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Atta] C:\Documents and Settings\hoanguyen\Application Data\rcnp.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
    O4 - Startup: ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Startup: YzDock.lnk = C:\Program Files\YzDock\YzDock.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\hoanguyen\Application Data\DownloadPlus.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/jmyhndrX.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/download/cabs/BANN8005/stoppop.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthsmakamai/systemsoappro.cab
    O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelocity.com/speedblaster3/SpeedBlasterT_3.0.7_B3.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/eng/oneclick/uninstbb.cab
    O16 - DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} (DownloadUL Class) - http://public.searchbarcash.com/cab/039/nezqauyr.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/bridge.cab
    O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD47573-66DE-4439-81FC-3E19CB0DA5B4}: NameServer = 198.6.100.150 198.6.1.150
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi l1pse,

    First, download and run: Peper uninstaller

    Before you start using HijackThis please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O1 - Hosts: pkipkiii˜i˜i*i*i ˆiii˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: i˜i˜i*i*i¨i¨i°i°i¸i¸iÀiÀiÈiÈiÐiÐiØiØiàiàièièiðiðiøiøi
    O1 - Hosts: @@
    O1 - Hosts: x
    O1 - Hosts: xb
    O1 - Hosts: x
    O1 - Hosts: pd
    O1 - Hosts: x
    O1 - Hosts: ¨j
    O1 - Hosts: ¨j
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: ˜_
    O1 - Hosts: ˜_
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: pË
    O1 - Hosts: pË
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts:  ˆ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: àÞ
    O1 - Hosts: àÞ
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: ˜
    O1 - Hosts: ˜
    O1 - Hosts: *
    O1 - Hosts: *
    O1 - Hosts: ¨
    O1 - Hosts: ¨
    O1 - Hosts: °
    O1 - Hosts: °
    O1 - Hosts: ¸
    O1 - Hosts: ¸
    O1 - Hosts: À
    O1 - Hosts: À
    O1 - Hosts: È
    O1 - Hosts: È
    O1 - Hosts: Ð
    O1 - Hosts: Ð
    O1 - Hosts: Ø
    O1 - Hosts: Ø
    O1 - Hosts: à
    O1 - Hosts: à
    O1 - Hosts: è
    O1 - Hosts: è
    O1 - Hosts: ð
    O1 - Hosts: ð
    O1 - Hosts: ø
    O1 - Hosts: ø
    O1 - Hosts: ۮ
    O1 - Hosts: ۮ
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O1 - Hosts: 
    O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
    O3 - Toolbar: KnobMeal - {3C3B66EF-3E2A-275A-D057-29B190395CC9} - C:\PROGRA~1\AIMPOK~1\info cast.dll

    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\sbnet\ShowBehind.exe

    O4 - HKLM\..\Run: [lgzosivp] C:\WINDOWS\pjwewkhl.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbatesrun.exe /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [jlZS1] C:\docume~1\jimmy\locals~1\temp\jlZS1.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
    O4 - HKLM\..\Run: [HDL] C:\docume~1\hoangu~1\locals~1\temp\HDL.exe
    O4 - HKLM\..\Run: [lJf] C:\docume~1\hoangu~1\locals~1\temp\lJf.exe
    O4 - HKLM\..\Run: [GhYtx6] C:\docume~1\hoangu~1\locals~1\temp\GhYtx6.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SQInstall] C:\Program Files\STC\SQ_3394_3222.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe

    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R
    O4 - HKLM\..\Run: [Thunk time] C:\PROGRA~1\logo extra view\Phone stop.exe
    O4 - HKLM\..\Run: [AutoLoaderqsv71ISlWKXL] "C:\WINDOWS\System32\vssup_incred_4.exe" /PC="AM.ICMD" /HideUninstall /HideDir
    O4 - HKLM\..\Run: [qF4h36P] kkrys.exe

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Atta] C:\Documents and Settings\hoanguyen\Application Data\rcnp.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\hoanguyen\Application Data\DownloadPlus.exe

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/jmyhndrX.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/download/cabs/BANN8005/stoppop.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab

    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthsmakamai/systemsoappro.cab
    O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelocity.com/speedblaster3/SpeedBlasterT_3.0.7_B3.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab

    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/eng/oneclick/uninstbb.cab
    O16 - DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} (DownloadUL Class) - http://public.searchbarcash.com/cab/039/nezqauyr.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/bridge.cab
    O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx

    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE

    Then reboot and use AdAware and Spybot S&D as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then do an online virusscan, you will find several listed here: http://www.wilders.org/free_services_m.htm

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.