1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I can't open any application...

Discussion in 'Windows - Virus and spyware problems' started by xsky, May 17, 2006.

  1. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    hye....

    can you help me with this..

    my laptop seems to have these problems:

    1-it can't run a major part of my application
    2-i've tried to use many types of anti-virus but it fails (avg, norton)
    3-when any application that have coonection with the anti-virus application it will automatically closed..
    4-i can;t run my cmd....it'll get closed as soon as i tries to run it.
    5-when i use the ad-aware scanning i've get this files in my sys... [bold] shntt288.exe ,[/bold]
    [bold]ocp user@ati.bridgetrack[2].txt ,[/bold]
    [bold]newdotnet.dll[/bold]
    6-i've run windows in safemode and try to use HjT application and again it get shuts automatically.
    7-same thing goes to smidfraudfix it'll get shut as soon as i open it in the safemode.

    those are the problems that my laptop are facing....

    please...help...

    thanks...
     
    Last edited: May 17, 2006
  2. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Hi xsky:

    Try to rename HijackThis.exe to something.exe and try again.
     
  3. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    hye...

    i've tried to change it...and it still shuts automatically...
    but i was a bit lucky..after trying several times i've managed to get the log....AT LASTT!!!

    here is the logs...

    Logfile of HijackThis v1.99.1
    Scan saved at 10:31:47 PM, on 5/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\Empowering Technology\admServ.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    C:\WINDOWS\system32\s6609\winlogon.exe
    C:\WINDOWS\system32\s6609\services.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\WINDOWS\system32\s6609\csrss.exe
    C:\WINDOWS\system32\s6609\lsass.exe
    C:\WINDOWS\XP15564\qm7296.exe
    C:\WINDOWS\system32\s6609\m7296.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Acer\Acer Arcade\PCMService.exe
    C:\Program Files\Launch Manager\LaunchAp.exe
    C:\Program Files\Launch Manager\PowerKey.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\Launch Manager\OSDCtrl.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Acer\Empowering Technology\admtray.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\DOCUME~1\XPUSER~1\LOCALS~1\Temp\RtkBtMnt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\s6609\smss.exe
    C:\data.exe\something.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4453727.exe"
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6453722.exe
    O1 - Hosts: 127.0.0.22 mcafee.net
    O1 - Hosts: 127.0.0.22 www.mcafee.net
    O1 - Hosts: 127.0.0.22 mcafee.org
    O1 - Hosts: 127.0.0.22 www.mcafee.org
    O1 - Hosts: 127.0.0.22 mcafeesecurity.com
    O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
    O1 - Hosts: 127.0.0.22 mcafeesecurity.net
    O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
    O1 - Hosts: 127.0.0.22 mcafeesecurity.org
    O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
    O1 - Hosts: 127.0.0.22 mcafeeb2b.com
    O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
    O1 - Hosts: 127.0.0.22 mcafeeb2b.net
    O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
    O1 - Hosts: 127.0.0.22 mcafeeb2b.org
    O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
    O1 - Hosts: 127.0.0.22 nai.net
    O1 - Hosts: 127.0.0.22 www.nai.net
    O1 - Hosts: 127.0.0.22 nai.org
    O1 - Hosts: 127.0.0.22 www.nai.org
    O1 - Hosts: 127.0.0.22 www.vil.nai.com
    O1 - Hosts: 127.0.0.22 vil.nai.net
    O1 - Hosts: 127.0.0.22 www.vil.nai.net
    O1 - Hosts: 127.0.0.22 vil.nai.org
    O1 - Hosts: 127.0.0.22 www.vil.nai.org
    O1 - Hosts: 127.0.0.22 grisoft.com
    O1 - Hosts: 127.0.0.22 grisoft.net
    O1 - Hosts: 127.0.0.22 www.grisoft.net
    O1 - Hosts: 127.0.0.22 grisoft.org
    O1 - Hosts: 127.0.0.22 www.grisoft.org
    O1 - Hosts: 127.0.0.22 www.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 kaspersky.net
    O1 - Hosts: 127.0.0.22 www.kaspersky.net
    O1 - Hosts: 127.0.0.22 kaspersky.org
    O1 - Hosts: 127.0.0.22 www.kaspersky.org
    O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.download.mcafee.com
    O1 - Hosts: 127.0.0.22 download.mcafee.net
    O1 - Hosts: 127.0.0.22 www.download.mcafee.net
    O1 - Hosts: 127.0.0.22 download.mcafee.org
    O1 - Hosts: 127.0.0.22 www.download.mcafee.org
    O1 - Hosts: 127.0.0.22 norton.com
    O1 - Hosts: 127.0.0.22 www.norton.com
    O1 - Hosts: 127.0.0.22 norton.net
    O1 - Hosts: 127.0.0.22 www.norton.net
    O1 - Hosts: 127.0.0.22 norton.org
    O1 - Hosts: 127.0.0.22 www.norton.org
    O1 - Hosts: 127.0.0.22 symantec.com
    O1 - Hosts: 127.0.0.22 www.symantec.com
    O1 - Hosts: 127.0.0.22 symantec.net
    O1 - Hosts: 127.0.0.22 www.symantec.net
    O1 - Hosts: 127.0.0.22 symantec.org
    O1 - Hosts: 127.0.0.22 www.symantec.org
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.com
    O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
    O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.com
    O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
    O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.org
    O1 - Hosts: 127.0.0.22 www.update.symantec.com
    O1 - Hosts: 127.0.0.22 update.symantec.net
    O1 - Hosts: 127.0.0.22 www.update.symantec.net
    O1 - Hosts: 127.0.0.22 update.symantec.org
    O1 - Hosts: 127.0.0.22 www.update.symantec.org
    O1 - Hosts: 127.0.0.22 securityresponse.symantec.com
    O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.com
    O1 - Hosts: 127.0.0.22 securityresponse.symantec.net
    O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.net
    O1 - Hosts: 127.0.0.22 securityresponse.symantec.org
    O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.org
    O1 - Hosts: 127.0.0.22 sarc.com
    O1 - Hosts: 127.0.0.22 www.sarc.com
    O1 - Hosts: 127.0.0.22 sarc.net
    O1 - Hosts: 127.0.0.22 www.sarc.net
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
    O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
    O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
    O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
    O4 - HKLM\..\Run: [A7323r] "C:\WINDOWS\j6453722.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [f2355XP ] "C:\WINDOWS\system32\s6609\zh591461684y.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    notes - if you want me to fix it using hijack it might not work cause it will shut off after a few seconds so you might need to approach with other methods....

    thanks...
     
  4. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Ok, we'll try other methods then :)

    Download Hoster http://www.funkytoad.com/download/hoster.zip and unzip it to your desktop

    Open Hoster that you earlier unzipped on your desktop

    [*]Click "Make Hosts Writable?" upper right corner (if available)
    [*]Click "Restore Microsoft's Original Hosts File" and then click OK
    [*]Close Hoster
    Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

    Uninstall via Add/remove programs (control panel):

    MediaGateway
    webHancer Survey Companion or similar

    1. Please download The Avenger http://swandog46.geekstogo.com/avenger.zip by Swandog46 to your Desktop.
    [*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    [*] Under "Script file to execute" choose "Input Script Manually".
    [*]Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    [*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    [*] Click Done
    [*] Now click on the Green Light] to begin execution of the script
    [*] Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

    If you can't do this, try to boot in safe mode and try again.
     
    Last edited: May 19, 2006
  5. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    thanks...

    i'll try it...
     
  6. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    hye...

    i've tried doing all the things that you said..and it runs smoothly..

    but when i try to run CCleaner it will automatically shut off...do i need to try it again in safe mode??

    and another thing when you asked me to add/remove prog..i just found 1..

    the webhancer couldn't be found was it ok???

    and here is the avenger log file ..later i'll give you the hijack..

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\lykhbi^d

    *******************

    Script file located at: \??\C:\WINDOWS\system32\lbmvkdwy.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Folder C:\WINDOWS\system32\s6609 deleted successfully.
    Folder C:\Program Files\MediaGateway deleted successfully.


    Folder C:\Program Files\webHancer not found!
    Deletion of folder C:\Program Files\webHancer failed!

    Could not process line:
    C:\Program Files\webHancer
    Status: 0xc0000034

    File C:\WINDOWS\j6453722.exe deleted successfully.
    File C:\WINDOWS\o4453727.exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    thanks...
     
  7. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    and here is the hijack logs...

    Logfile of HijackThis v1.99.1
    Scan saved at 4:23:20 PM, on 5/19/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\Empowering Technology\admServ.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\WINDOWS\system32\s6609\winlogon.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Acer\Acer Arcade\PCMService.exe
    C:\Program Files\Launch Manager\LaunchAp.exe
    C:\Program Files\Launch Manager\PowerKey.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\Launch Manager\OSDCtrl.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\WINDOWS\system32\s6609\services.exe
    C:\Acer\Empowering Technology\admtray.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\WINDOWS\system32\s6609\csrss.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\s6609\lsass.exe
    C:\WINDOWS\XP15564\qm7296.exe
    C:\WINDOWS\system32\s6609\m7296.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\DOCUME~1\XPUSER~1\LOCALS~1\Temp\RtkBtMnt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Documents and Settings\XP User\Desktop\HJT\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4453727.exe"
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6453722.exe
    O1 - Hosts: 127.0.0.22 mcafee.com
    O1 - Hosts: 127.0.0.22 www.mcafee.com
    O1 - Hosts: 127.0.0.22 mcafee.net
    O1 - Hosts: 127.0.0.22 www.mcafee.net
    O1 - Hosts: 127.0.0.22 mcafee.org
    O1 - Hosts: 127.0.0.22 www.mcafee.org
    O1 - Hosts: 127.0.0.22 mcafeesecurity.com
    O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
    O1 - Hosts: 127.0.0.22 mcafeesecurity.net
    O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
    O1 - Hosts: 127.0.0.22 mcafeesecurity.org
    O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
    O1 - Hosts: 127.0.0.22 mcafeeb2b.com
    O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
    O1 - Hosts: 127.0.0.22 mcafeeb2b.net
    O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
    O1 - Hosts: 127.0.0.22 mcafeeb2b.org
    O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
    O1 - Hosts: 127.0.0.22 nai.com
    O1 - Hosts: 127.0.0.22 www.nai.com
    O1 - Hosts: 127.0.0.22 nai.net
    O1 - Hosts: 127.0.0.22 www.nai.net
    O1 - Hosts: 127.0.0.22 nai.org
    O1 - Hosts: 127.0.0.22 www.nai.org
    O1 - Hosts: 127.0.0.22 vil.nai.com
    O1 - Hosts: 127.0.0.22 www.vil.nai.com
    O1 - Hosts: 127.0.0.22 vil.nai.net
    O1 - Hosts: 127.0.0.22 www.vil.nai.net
    O1 - Hosts: 127.0.0.22 vil.nai.org
    O1 - Hosts: 127.0.0.22 www.vil.nai.org
    O1 - Hosts: 127.0.0.22 grisoft.com
    O1 - Hosts: 127.0.0.22 www.grisoft.com
    O1 - Hosts: 127.0.0.22 grisoft.net
    O1 - Hosts: 127.0.0.22 www.grisoft.net
    O1 - Hosts: 127.0.0.22 grisoft.org
    O1 - Hosts: 127.0.0.22 www.grisoft.org
    O1 - Hosts: 127.0.0.22 kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 www.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 kaspersky.com
    O1 - Hosts: 127.0.0.22 www.kaspersky.com
    O1 - Hosts: 127.0.0.22 kaspersky.net
    O1 - Hosts: 127.0.0.22 www.kaspersky.net
    O1 - Hosts: 127.0.0.22 kaspersky.org
    O1 - Hosts: 127.0.0.22 www.kaspersky.org
    O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.com
    O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
    O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
    O1 - Hosts: 127.0.0.22 download.mcafee.com
    O1 - Hosts: 127.0.0.22 www.download.mcafee.com
    O1 - Hosts: 127.0.0.22 download.mcafee.net
    O1 - Hosts: 127.0.0.22 www.download.mcafee.net
    O1 - Hosts: 127.0.0.22 download.mcafee.org
    O1 - Hosts: 127.0.0.22 www.download.mcafee.org
    O1 - Hosts: 127.0.0.22 norton.com
    O1 - Hosts: 127.0.0.22 www.norton.com
    O1 - Hosts: 127.0.0.22 norton.net
    O1 - Hosts: 127.0.0.22 www.norton.net
    O1 - Hosts: 127.0.0.22 norton.org
    O1 - Hosts: 127.0.0.22 www.norton.org
    O1 - Hosts: 127.0.0.22 symantec.com
    O1 - Hosts: 127.0.0.22 www.symantec.com
    O1 - Hosts: 127.0.0.22 symantec.net
    O1 - Hosts: 127.0.0.22 www.symantec.net
    O1 - Hosts: 127.0.0.22 symantec.org
    O1 - Hosts: 127.0.0.22 www.symantec.org
    O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.com
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.com
    O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
    O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
    O1 - Hosts: 127.0.0.22 liveupdate.symantec.com
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.com
    O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
    O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
    O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
    O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
    O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
    O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
    O4 - HKLM\..\Run: [A7323r] "C:\WINDOWS\j6453722.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [f2355XP ] "C:\WINDOWS\system32\s6609\zh591461684y.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    i've tried to run avenger and do it all again in the safe mode but after it restarts it appears that avenger text couldn't be found....

    please..help...

    thanks...
     
  8. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Not lookin good actually :(

    Eg. Avenger deleted this -> C:\WINDOWS\system32\s6609\ but it's back again.

    I say that it's possible that those can't be removed, but I'll try.

    Let's try this:

    Download Blacklight on your desktop http://www.f-secure.com/blacklight/try.shtml

    Double-click blbeta.exe, accept agreement, click > Scan, then > Next

    You'll see a log on your desktop nimi named fsbl.xxxxxxx.log (xxxxxxx=numbers).

    Copy and paste contents of that log here.
     
  9. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    ok..

    here is it..

    05/19/06 18:20:41 [Info]: BlackLight Engine 1.0.36 initialized
    05/19/06 18:20:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    05/19/06 18:20:41 [Note]: 7019 4
    05/19/06 18:20:41 [Note]: 7005 0
    05/19/06 18:20:45 [Note]: 7006 0
    05/19/06 18:20:45 [Note]: 7011 448
    05/19/06 18:20:45 [Note]: 7026 0
    05/19/06 18:20:45 [Note]: 7026 0
    05/19/06 18:20:48 [Note]: FSRAW library version 1.7.1015
    05/19/06 18:21:32 [Note]: 7007 0


    thanks..
     
  10. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Ok, next one. I guess that it might be new qoologic, so let's try this.

    Download FindQool by LonnyRJones http://downloads.subratam.org/Lon/FindQool.zip

    [*]Unzip contents to C:\ root (in other words, create folder c:\FindQool and unzip contents there)
    [*]Open folder and run Qlocate.bat.
    [*]Send contents of opening txt.log here
     
  11. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    hye..

    it is really frustrating...when i tries to run it it will automatic shut...same as what happen to anti-virus app..anyway here is what i get..

    Fri 05/19/2006
    Running from: C:\FindQool\FindQool
    PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

    Known file names

    MD5 Check....


    that's all...i think before it could finished the prog has terminated it...

    please....thanks alot..

     
  12. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Create new folder on C:\, name it blacklight

    Next,

    Download F-Secure Blacklight http://www.f-secure.com/blacklight/try.shtml on your desktop and move blbeta.exe to C:\blacklight-folder.
    Close BlackLight if it's open. Click start -> run and type cmd

    Press Enter. When command prompt opens, type c:\blacklight\blbeta.exe /expert (Note that there's one empty space before c:\blacklight\blbeta.exe and also before /expert) and press Enter.

    Blacklight should open now in Expert mode. Do a scan with it. You'll see a log on your desktop nimi named fsbl.xxxxxxx.log (xxxxxxx=numbers).

    Copy and paste contents of that log here.
     
    Last edited: May 19, 2006
  13. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    hye..

    is there a difference...in the earlier time when i've tried to run cmd...it will shut automatically..

    so when i download this bbeta.exe does it enable me to run the cmd??or it will still remains the same as the previous ??
     
  14. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Try to run it on safemode and unplug your network cable before running it.
     
  15. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    still can't...

    so what should i do next??

    have you ever heard virus name [bold]Brontok[/bold] i think my laptop is infected by it when i plugin my friends thumbdrive into it....

    please.....help..

    thanks...
     
  16. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Ok, next thing to do:

    Follow these instructions and post log here ->
    http://www.bleepingcomputer.com/files/winpfind.php

    BTW, do you have system restore enabled? If so, you could restore system from restore point created before you get infected. That'd be the easiest way.

     
  17. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    actually..

    i don't know whether this laptop has system restore or not...

    it's a new laptop, it belongs to my friends and how can we know wheter we have the system restore or not??

    i'll try to follow the instructions..:)
     
  18. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
  19. rav009

    rav009 Active member

    Joined:
    Nov 14, 2005
    Messages:
    2,204
    Likes Received:
    0
    Trophy Points:
    66
    If you'r running a xp you've got system restore.

    Start > All Programs > Accesories > System Tools > System Restore.

    Btw, havent posted here in a while as havent had time, I see -Kemisti- is still managing fine, keep it up -Kemisti-!

     
  20. xsky

    xsky Member

    Joined:
    Apr 29, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    16
    ok here are the patterns..

    UPX!
    FSG!
    PEC2
    PECompact2
    Umonitor
    qoologic
    aspack
    PTech
    urllogic
    ad-beh
    ad-behNior.com
    sYVLLSAKY
    _rtneg3
    SAHAgent
    buddy.exe
    ZepMon
    aurora.exe
    ;2x(V]@BMD
    Tlji7Mk
    KavSvc
    69.59.186.63
    209.66.67.134
    66.63.167.97
    66.63.167.77
    abetterinternet.com
    8B!7F\(T
    testpopup
    web-nex
    yourkey
    winsync
    rec2_run
    WinShutDown
    ad-w-a-r-e.com


    my os is microsoft XP and you've said earlier that we can restore it easier way???

    but i think we should try this one 1st save the system restore for our back ups?:)

    thanks...
     

Share This Page