I just notice that i've been infected.
Logfile of HijackThis v1.98.2
Scan saved at 下午 01:02:14, on 2004/8/29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\windows\temp\hkOVTlD6t.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\documents and settings\erica\local settings\temp\TG.exe
C:\WINDOWS\System32\prohts.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\windows\temp\hkOVTlD6t.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\pscr32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Q-CAM\Q-CAM\Launchpad.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hyjackthis\HijackThis.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Erica\Local Settings\Temp\tZ6VWi0.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avmffxc] "C:\WINDOWS\System32\avmffxc.exe"
O4 - HKLM\..\Run: [Microsoft Service] C:\WINDOWS\system32\ntwdm.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Microsoft Update] mssmgrd.exe
O4 - HKLM\..\Run: [hkOVTlD6t] C:\windows\temp\hkOVTlD6t.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TG] C:\documents and settings\erica\local settings\temp\TG.exe
O4 - HKLM\..\Run: [r33X36W] prohts.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [hkOVTlD6t.exe] C:\windows\temp\hkOVTlD6t.exe
O4 - HKLM\..\Run: [TG.exe] C:\documents and settings\erica\local settings\temp\TG.exe
O4 - HKLM\..\RunServices: [Microsoft Update] mssmgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update] mssmgrd.exe
O4 - HKCU\..\Run: [a0s7RWamh] pscr32.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: mhtml - - (no file)
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
but i hv got 2 errors when i scan my computer with it
error #62 Input pas end of file
error#55 File already opened
i dont' know ANYTHING about those adware stuffs :'( but i'm a fast learner :) (i think so lol)
i know i'm so silly but i tried the method given by one of the administrator here
http://forum.gladiator-antivirus.com/index...showtopic=17227
and of course, when i scan my computer with hijack this, i didnt' get all the boxes that's listed there. (i only got one of them) so i just check that one (O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jplatz\Local Settings\Temp\taF.dll) and press fixed check... and somehow the problem SEEMED to be gone. but everytime i turn on my computer i had to do that or else the ad123 thing will come again >___< but this time i turn on my computer, try to scan it (with hijack), the box (O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\jplatz\Local Settings\Temp\taF.dll) is gone! but the ad123 thing is still there.
now what shoudl i do?
thanks a million!1
Full Version: HELP- it's the ads234 thing :'(
Following the instructions for another persons log is like taking a Honda to a Ford dealer repair. True, they are both automobiles, but you'l lb e lucky if it runs correctly.
That said, You are using and old version of HiJackThis.
Please download and install the new version (198.2) from one of the following links:
http://209.133.47.12/~merijn/files/HijackThis.exe
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
Run HiJackThis-198.2 and post the new log in this thread.
That said, You are using and old version of HiJackThis.
Please download and install the new version (198.2) from one of the following links:
http://209.133.47.12/~merijn/files/HijackThis.exe
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
Run HiJackThis-198.2 and post the new log in this thread.
thanks 
i 've edited my post
i 've edited my post
Thanks, but next time just post a new log in the same thread. It helps to see old info.
Please do the following and post a new log in this thread. I am not sure about all those O18 entries but want to wait for the new log before doing anything about them. First step is to take care of the bad stuff.
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Check the following items in HijackThis.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Erica\Local Settings\Temp\tZ6VWi0.dll
O4 - HKLM\..\Run: [avmffxc] "C:\WINDOWS\System32\avmffxc.exe"
O4 - HKLM\..\Run: [Microsoft Service] C:\WINDOWS\system32\ntwdm.exe
O4 - HKLM\..\Run: [Microsoft Update] mssmgrd.exe
O4 - HKLM\..\Run: [hkOVTlD6t] C:\windows\temp\hkOVTlD6t.exe
O4 - HKLM\..\Run: [TG] C:\documents and settings\erica\local settings\temp\TG.exe
O4 - HKLM\..\Run: [r33X36W] prohts.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [hkOVTlD6t.exe] C:\windows\temp\hkOVTlD6t.exe
O4 - HKLM\..\Run: [TG.exe] C:\documents and settings\erica\local settings\temp\TG.exe
O4 - HKLM\..\RunServices: [Microsoft Update] mssmgrd.exe
O4 - HKCU\..\Run: [Microsoft Update] mssmgrd.exe
O4 - HKCU\..\Run: [a0s7RWamh] pscr32.exe
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\System32\avmffxc.exe
C:\WINDOWS\system32\ntwdm.exe
C:\WINDOWS\System32\mssmgrd.exe
C:\windows\temp\hkOVTlD6t.exe
C:\documents and settings\erica\local settings\temp\TG.exe
C:\WINDOWS\System32\prohts.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\windows\temp\hkOVTlD6t.exe
C:\documents and settings\erica\local settings\temp\TG.exe
C:\WINDOWS\System32\pscr32.exe
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode.
HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/
Run HiJackThis again and post a new log in this thread.
Please do the following and post a new log in this thread. I am not sure about all those O18 entries but want to wait for the new log before doing anything about them. First step is to take care of the bad stuff.
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Check the following items in HijackThis.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Erica\Local Settings\Temp\tZ6VWi0.dll
O4 - HKLM\..\Run: [avmffxc] "C:\WINDOWS\System32\avmffxc.exe"
O4 - HKLM\..\Run: [Microsoft Service] C:\WINDOWS\system32\ntwdm.exe
O4 - HKLM\..\Run: [Microsoft Update] mssmgrd.exe
O4 - HKLM\..\Run: [hkOVTlD6t] C:\windows\temp\hkOVTlD6t.exe
O4 - HKLM\..\Run: [TG] C:\documents and settings\erica\local settings\temp\TG.exe
O4 - HKLM\..\Run: [r33X36W] prohts.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [hkOVTlD6t.exe] C:\windows\temp\hkOVTlD6t.exe
O4 - HKLM\..\Run: [TG.exe] C:\documents and settings\erica\local settings\temp\TG.exe
O4 - HKLM\..\RunServices: [Microsoft Update] mssmgrd.exe
O4 - HKCU\..\Run: [Microsoft Update] mssmgrd.exe
O4 - HKCU\..\Run: [a0s7RWamh] pscr32.exe
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\System32\avmffxc.exe
C:\WINDOWS\system32\ntwdm.exe
C:\WINDOWS\System32\mssmgrd.exe
C:\windows\temp\hkOVTlD6t.exe
C:\documents and settings\erica\local settings\temp\TG.exe
C:\WINDOWS\System32\prohts.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\windows\temp\hkOVTlD6t.exe
C:\documents and settings\erica\local settings\temp\TG.exe
C:\WINDOWS\System32\pscr32.exe
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode.
HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/
Run HiJackThis again and post a new log in this thread.
i couldn't find these
C:\WINDOWS\System32\avmffxc.exe
C:\WINDOWS\system32\ntwdm.exe
C:\WINDOWS\System32\mssmgrd.exe
i've already checked the options to show hidden folders, anyway, i do the rest, and here's the new log
btw, do i empty my recycle bin?
Logfile of HijackThis v1.98.2
Scan saved at 下午 04:23:58, on 2004/8/29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Q-CAM\Q-CAM\Launchpad.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hyjackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol hijack: mhtml -
C:\WINDOWS\System32\avmffxc.exe
C:\WINDOWS\system32\ntwdm.exe
C:\WINDOWS\System32\mssmgrd.exe
i've already checked the options to show hidden folders, anyway, i do the rest, and here's the new log
btw, do i empty my recycle bin?
Logfile of HijackThis v1.98.2
Scan saved at 下午 04:23:58, on 2004/8/29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Q-CAM\Q-CAM\Launchpad.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hyjackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol hijack: mhtml -
OK, that looks good so far and the long list of O18 entries in the first log was from the error you received running the program. I am looking into the Protocol Hijack and want some more information from you;
Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.
Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.
CODE
regedit /e protocols.txt "HKEY_CLASSES_ROOT\PROTOCOLS\Filter"
Start notepad.exe protocols.txt
exit
Start notepad.exe protocols.txt
exit
Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
thanks again!
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
thanks again!
THanks for the info. Nothing showing there (that's good) so we look at a few more:
First:
Please copy the text in the box below to Notepad and save it to your desktop as reginfo1.bat.
Double-click on the reginfo1.bat file, and it will run and create a text document on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Then:
Please copy the text in the box below to Notepad and save it to your desktop as reginfo2.bat.
Double-click on the reginfo2.bat file, and it will run and create a text document on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
First:
Please copy the text in the box below to Notepad and save it to your desktop as reginfo1.bat.
CODE
regedit /e handlers.txt "HKEY_CLASSES_ROOT\PROTOCOLS\Handler"
Start notepad.exe handlers.txt
exit
Start notepad.exe handlers.txt
exit
Double-click on the reginfo1.bat file, and it will run and create a text document on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Then:
Please copy the text in the box below to Notepad and save it to your desktop as reginfo2.bat.
CODE
regedit /e about.txt "HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
Start notepad.exe about.txt
exit
Start notepad.exe about.txt
exit
Double-click on the reginfo2.bat file, and it will run and create a text document on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
reginfo1.bat
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler]
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdl]
@="CDL: Asychronous Pluggable Protocol Handler"
"CLSID"="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdo]
@="cdo: Asychronous KnowledgePluggable Protocol Handler"
"CLSID"="{CD00020A-8B95-11D1-82DB-00C04FB1625D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\dvd]
@="DVD: 可插式通訊協定"
"CLSID"="{12D51199-0DB5-46FE-A120-47A3D7D937CC}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\gopher]
@="gopher: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http\oledb]
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
@="Microsoft OLE DB Provider for Internet Publishing"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\https]
@="https: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\https\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\https\oledb]
@="Microsoft OLE DB Provider for Internet Publishing"
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ipp]
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ipp\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\javascript]
"CLSID"="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\lid]
@="MS TV ATVEF compliant lid: Protocol Handler"
"CLSID"="{5C135180-9973-46D9-ABF4-148267CBB8BF}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\local]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mailto]
"CLSID"="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml]
@=" "
"CLSID"=" "
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its]
@="ms-its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\msdaipp]
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\msdaipp\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\msdaipp\oledb]
@="Microsoft OLE DB Provider for Internet Publishing"
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mso-offdap]
@="Data Page Pluggable Protocol"
"CLSID"="{3D9F03FA-7A94-11D3-BE81-0050048385D1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\res]
"CLSID"="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\sysimage]
"CLSID"="{76E67A63-06E9-11D2-A840-006008059382}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tv]
@="電視: 可插入的通訊協定"
"CLSID"="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\vbscript]
"CLSID"="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\vnd.ms.radio]
@="vnd.ms.radio: Asynchronous Pluggable Protocol Handler"
"CLSID"="{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"
reginfo2.bat
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}]
@="Microsoft HTML About Pluggable Protocol"
[HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\
68,00,74,00,6d,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler]
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdl]
@="CDL: Asychronous Pluggable Protocol Handler"
"CLSID"="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cdo]
@="cdo: Asychronous KnowledgePluggable Protocol Handler"
"CLSID"="{CD00020A-8B95-11D1-82DB-00C04FB1625D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\dvd]
@="DVD: 可插式通訊協定"
"CLSID"="{12D51199-0DB5-46FE-A120-47A3D7D937CC}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\gopher]
@="gopher: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http\oledb]
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
@="Microsoft OLE DB Provider for Internet Publishing"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\https]
@="https: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\https\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\https\oledb]
@="Microsoft OLE DB Provider for Internet Publishing"
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ipp]
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ipp\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\javascript]
"CLSID"="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\lid]
@="MS TV ATVEF compliant lid: Protocol Handler"
"CLSID"="{5C135180-9973-46D9-ABF4-148267CBB8BF}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\local]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mailto]
"CLSID"="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml]
@=" "
"CLSID"=" "
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its]
@="ms-its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\msdaipp]
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\msdaipp\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\msdaipp\oledb]
@="Microsoft OLE DB Provider for Internet Publishing"
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mso-offdap]
@="Data Page Pluggable Protocol"
"CLSID"="{3D9F03FA-7A94-11D3-BE81-0050048385D1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\res]
"CLSID"="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\sysimage]
"CLSID"="{76E67A63-06E9-11D2-A840-006008059382}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tv]
@="電視: 可插入的通訊協定"
"CLSID"="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\vbscript]
"CLSID"="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\vnd.ms.radio]
@="vnd.ms.radio: Asynchronous Pluggable Protocol Handler"
"CLSID"="{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"
reginfo2.bat
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}]
@="Microsoft HTML About Pluggable Protocol"
[HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\
68,00,74,00,6d,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
Thanks again. Everything is ok and I believe we have found an issue with HiJackThis.
Would you please test this for me.
Double Click on 'My Computer'
In the window that opens, select Help -> About Windows'
Do you get the usual dialog?
Then, search for mshtml.dll in c:\windows\system32\ and report the result.
Finally, post a new HiJackThis log in this thread for final review.
Would you please test this for me.
Double Click on 'My Computer'
In the window that opens, select Help -> About Windows'
Do you get the usual dialog?
Then, search for mshtml.dll in c:\windows\system32\ and report the result.
Finally, post a new HiJackThis log in this thread for final review.
yeep, when i click "About Windows", it's the usualy boring stuffs 
the mshtml.dll exists :)
new log
Logfile of HijackThis v1.98.2
Scan saved at 下午 04:36:54, on 2004/8/31
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Q-CAM\Q-CAM\Launchpad.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hyjackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol hijack: mhtml -
actually.. i was wondeing how come i got the ads234 thing.. i didn't dl anything lately..
the mshtml.dll exists :)
new log
Logfile of HijackThis v1.98.2
Scan saved at 下午 04:36:54, on 2004/8/31
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Q-CAM\Q-CAM\Launchpad.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hyjackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol hijack: mhtml -
actually.. i was wondeing how come i got the ads234 thing.. i didn't dl anything lately..
OK, your log is still clean. You can get spyawre just by visiting the wrong websites with Java or Javascript enabled. ActiveX is also used by some exploits. it is not necessary for you to download anything first.
First:
You are running an outdated and therefore unsafe version of Windows and/or Internet Explorer.
You NEED to upgrade Windows and/or Internet Explorer. Note the SP2 is now available.
http://v5.windowsupdate.microsoft.com/en/default.asp
(Make sure you get the correct language version for your operating system! ).
Go to the Windows Update site, and download and install ALL Critical Updates on offer.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.
This step is necessary if you are to secure your system and avoid constant re-infection.
Second:
Your log is clean. The only thing you need to do is upgrade your Windows and Internet Explorer to SP2.
At last, your system is clean and free of spyware! Want to keep it that way?
Here are some simple steps you can take to reduce the chance of infection in the future.
1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp
2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick
For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857
Good luck, and thanks for coming to our forums for help with your security and malware issues.
First:
You are running an outdated and therefore unsafe version of Windows and/or Internet Explorer.
You NEED to upgrade Windows and/or Internet Explorer. Note the SP2 is now available.
http://v5.windowsupdate.microsoft.com/en/default.asp
(Make sure you get the correct language version for your operating system! ).
Go to the Windows Update site, and download and install ALL Critical Updates on offer.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.
This step is necessary if you are to secure your system and avoid constant re-infection.
Second:
Your log is clean. The only thing you need to do is upgrade your Windows and Internet Explorer to SP2.
At last, your system is clean and free of spyware! Want to keep it that way?
Here are some simple steps you can take to reduce the chance of infection in the future.
1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp
2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick
For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857
Good luck, and thanks for coming to our forums for help with your security and malware issues.
I am trying to find out why you are getting the O18 item showing when it appears that your system is ok.
Would you please Zip and email your current copy of HijackThis to me:
send to: submitATlophatphuud.com (replace AT with @)
Then delete HiJackThis from your computer, download a new copy, install it and run it. Then post the new log in this thread. It may just have been a cirrupted copy and this should check it.
Please download and install the new version (198.2) from one of the following links:
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/
Would you please Zip and email your current copy of HijackThis to me:
send to: submitATlophatphuud.com (replace AT with @)
Then delete HiJackThis from your computer, download a new copy, install it and run it. Then post the new log in this thread. It may just have been a cirrupted copy and this should check it.
Please download and install the new version (198.2) from one of the following links:
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.