centsster Posted May 24, 2007 Report Share Posted May 24, 2007 (edited) Please, any of you good people, help me. I downloaded a P2P program today, which I removed immediately cause I didn't like it. When I turned my computer on after I got home from that, my Norton Antivirus was showing pop-ups, saying there's winlog.exe in system32 that they can't remove. Programs not opening, opening very slowly, so forth. I've done my share of searches for the past 6 hours, managed to follow some directions on websites. But it still is very slow. Here's what my current log look like:------------------------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 10:47:39 PM, on 5/23/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\WINZIP\wzqkpick.exeC:\Documents and Settings\Administrator.D2X00341\Desktop\HijackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 ¿Aμð¿A μa¶oAI¹o\stacmon.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1.1\VPTray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [bacstray] BacsTray.exeO4 - HKLM\..\Run: [FPM Exe] "C:\Program Files\Fasoo DRM\fpm.exe"O4 - HKLM\..\Run: [FPH Exe] "C:\Program Files\Fasoo DRM\fph.exe"O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - Global Startup: dllhost.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cabO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cabO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cabO16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cabO16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CABO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - http://image.shinhan.com/bank/etc/keyStrok...40837/scsk4.cabO16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - https://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cabO16 - DPF: {5373CE59-8BB8-45DF-96FB-7DC2F668D674} - O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} - O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - O16 - DPF: {7DC58032-60EE-41E0-84DA-77BFFE156B91} (KcpPayAtx Control) - https://secure.kcp.co.kr/webpay/ISP/kcp_pg1.cabO16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail.net/tv/cabs_20050909/MyTVInstaller.cabO16 - DPF: {84F7A3A9-B92A-41F4-890F-83F2DC0ADB7E} (ToolBarInstall Control) - http://toolbar.imbc.com/toolbar/MBCToolBar.cabO16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cabO16 - DPF: {934CEFDC-E880-446F-880F-6560F613D8AA} (FCliVer Class) - http://www.conpia.com/0511/tv/Fasoo/Client...(v1.2.28.0).cabO16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cabO16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} - O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} - O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cabO16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cabO16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} - O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cabO16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} - O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cabO16 - DPF: {F1390A50-25DB-4361-A7FA-AF8B06C99921} - O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus CE 9.0.1\DefWatch.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus CE 9.0.1\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus CE 9.0.1\Rtvscan.exeO23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--------------------------------------------------------------------I deleted the following with Hijackthis (and hence, is not showing above):O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /autoO4 - HKLM\..\Run: [winlog] winlog.exeO4 - HKLM\..\RunServices: [winlog] winlog.exe--------------------------------------------------------------------I did nothing else (a website http://www.ozzu.com/ftopic61007.html recommended that I run "Start-Run" and delete the above files, but I couldn't figure out how to do it...I downloaded Spybot and scanned twice, removed everything. I also tried several different spyware removal programs, but now, I don't know what to do...Please, somebody help, and let me know what steps to take... I would really appreciate it. This is the last thing that I need right now.I run Win XP.============I haven't received a reply yet... but I thought I'd list further activities that I performed here. A website http://www.ozzu.com/ftopic61007.html recommended that I run "Start-Run" and delete the above files, but I couldn't figure out how to do it...I downloaded Spybot and scanned twice, removed everything. I also tried several different spyware removal programs, but now, I don't know what to do...---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 1:11:38 AM 5/24/2007 + Scan result: :mozilla.86:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.2o7 : No action taken.:mozilla.60:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.:mozilla.61:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.:mozilla.88:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Adtech : No action taken.:mozilla.90:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Adtech : No action taken.:mozilla.37:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.:mozilla.65:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.:mozilla.67:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Clickbank : No action taken.:mozilla.20:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Com : No action taken.:mozilla.33:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Com : No action taken.:mozilla.78:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Com : No action taken.:mozilla.79:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Com : No action taken.:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.:mozilla.76:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.:mozilla.46:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.:mozilla.69:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.:mozilla.29:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Matchcraft : No action taken.:mozilla.80:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.:mozilla.97:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Overture : No action taken.:mozilla.98:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Overture : No action taken.:mozilla.99:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Overture : No action taken.:mozilla.17:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.18:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.19:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.21:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.35:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.36:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.38:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.39:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Revsci : No action taken.:mozilla.50:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.:mozilla.62:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.:mozilla.75:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.:mozilla.77:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.:mozilla.9:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.:mozilla.82:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.:mozilla.49:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.50:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\madmoq1x.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.:mozilla.40:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.41:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.42:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.43:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Zedo : No action taken.:mozilla.44:C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt -> TrackingCookie.Zedo : No action taken.C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : No action taken.C:\Program Files\outlook\v.tmp -> Worm.VB.dw : No action taken.::Report end-------------------------------> I deleted the p.zip and v.tmp using the program.============I also ran About Buster and got the following:AboutBuster 6.07Scan started on [5/24/2007] at [10:16:53 AM]-------------------------------------------------------------No Files Found!-------------------------------------------------------------Scan was COMPLETED SUCCESSFULLY at 10:18:09 AM============Can someone advise??? Still system is very very slow... Edited May 24, 2007 by centsster Quote Link to post Share on other sites
jwbirdsong Posted May 25, 2007 Report Share Posted May 25, 2007 (edited) Which P2P did you D/L then uninstall?? Fasoo?? You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Open HijackThis and click on Do a system scan only. Place a check mark next to the following: O4 - Global Startup: dllhost.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cabO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cabO16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cabO16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://imbc.contents.mylinker.co.kr/module/MyLinker.cabO16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CABO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - http://image.shinhan.com/bank/etc/keyStrok...40837/scsk4.cabO16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) - https://mpi.dacom.net/XPayMPI/Xecure_LiveUp..._XPayMPIOCX.cabO16 - DPF: {5373CE59-8BB8-45DF-96FB-7DC2F668D674} -O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) -O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} -O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) -O16 - DPF: {7DC58032-60EE-41E0-84DA-77BFFE156B91} (KcpPayAtx Control) - https://secure.kcp.co.kr/webpay/ISP/kcp_pg1.cabO16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) -O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail.net/tv/cabs_20050909/MyTVInstaller.cabO16 - DPF: {84F7A3A9-B92A-41F4-890F-83F2DC0ADB7E} (ToolBarInstall Control) - http://toolbar.imbc.com/toolbar/MBCToolBar.cabO16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cabO16 - DPF: {934CEFDC-E880-446F-880F-6560F613D8AA} (FCliVer Class) - http://www.conpia.com/0511/tv/Fasoo/Client...(v1.2.28.0).cabO16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) -O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cabO16 - DPF: {B869F34A-A5AD-47B8-AC46-FF5A614F3D44} -O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} -O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cabO16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cabO16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) -O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} -O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/test/Online.cabO16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} -O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cabO16 - DPF: {F1390A50-25DB-4361-A7FA-AF8B06C99921} - Close ALL other open windows and programs and click Fix checked.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.After a reboot post the Panda results and a fresh HijackThis log. Edited May 25, 2007 by jwbirdsong Quote Link to post Share on other sites
centsster Posted May 26, 2007 Author Report Share Posted May 26, 2007 (edited) Thank you so much for your help. The P2P I loaded/uninstalled was Addax, but I think it may have been the file that I was attempting to download that was loaded with stuff. I had errors every time I tried to shut down the computer, re: dllhost.exe. Things seemed to have gotten way better after I followed your guide.So here's the result. I followed your steps, ATF Cleaner --> HijackThis --> Activescan.==============================================Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 9:56:58 PM, on 5/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec AntiVirus CE 9.0.1\DefWatch.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Symantec AntiVirus CE 9.0.1\Rtvscan.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\SigmaTel\SigmaTel AC97 ??? ????\stacmon.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1.1\VPTray.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\WINDOWS\system32\BacsTray.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\iridium.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\WordWeb\wweb32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\K\Desktop\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.upenn.edu/penn_portal/view.phpR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 ??? ????\stacmon.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1.1\VPTray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [bacstray] BacsTray.exeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [iridiumTimeWizard] C:\Program Files\iridium.exeO4 - Startup: PowerReg Scheduler V3.exeO4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: http://*.kcp.co.krO15 - Trusted Zone: http://*.telec.co.krO15 - Trusted Zone: http://*.vpay.co.krO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180103896687O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus CE 9.0.1\DefWatch.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus CE 9.0.1\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus CE 9.0.1\Rtvscan.exeO23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 8249 bytes==============================================Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\K\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.statcounter.com/] Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[www.myaffiliateprogram.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.advertising.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.com.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.atdmt.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator.D2X00341\Application Data\Mozilla\Firefox\Profiles\tkrxfy4b.default\cookies.txt[statse.webtrendslive.com/] Virus:Trj/Vb.TT Disinfected C:\Documents and Settings\K\Desktop\backups\backup-20070525-200607-764-dllhost.exe Virus:Trj/Vb.TT Disinfected C:\Program Files\a.zip[setup.exe] Virus:Trj/Vb.TT Disinfected C:\Program Files\b.zip[Video.exe] Virus:Trj/Vb.TT Disinfected C:\Program Files\c.zip[Track_03.exe] Virus:Trj/Vb.TT Disinfected C:\Program Files\Setup.exe Virus:Trj/Vb.TT Disinfected C:\Program Files\Track_03.exe Virus:Trj/Vb.TT Disinfected C:\Program Files\Video.exe Potentially unwanted tool:Application/PRScheduler Not disinfected C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup =================================================My system seems a lot better, as if everything's fine. Is it? I had difficulties right after this clean-up, as windows was taking a long time to boot, getting stuck on MS Automatic Updates, significant time spent on opening the first program I try. Now, it seems very normal! Active Scan tells me to buy their stuff to delete all that has not been taken care of. How does the log look? Are there further steps I need to take? Pls do let me know. I really appreciate your help, although I can only do it in words. It really is generous of you!!! Edited May 26, 2007 by centsster Quote Link to post Share on other sites
jwbirdsong Posted May 31, 2007 Report Share Posted May 31, 2007 Sorry I seem to have lost track of this over the long holiday weekend...Would you post a fresh HijackThis log for me plz Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.