Home > IT Support and Tech Corner

How to delete a trojan?

SBS9888Y
12 Jan 08, 23:03

this C:\WINDOWS\system32\efcawvs.dll virus even booted to safe mode and deleted..it keeps saying the fiel is currently being used by another person or program..can find a way to remove it? its slowin the PC down badly
wishboy
13 Jan 08, 00:07

do have something called 'SpywareQuake' on ur com?
C:\Program Files\SpywareQuake.com\Spyware-Quake.exe ?

if got,
Uninstall "SpywareQuake" if it's listed in Add/remove Programs list, and make sure its folder is also gone.
Delete the file after this.
this might or might not solve the prob

from a search in goole:
some scanner seems to be able to remove the file
use at ur own risk
http://spywaredlls.prevx.com/RRJAHF35434010/EFCAWVS.DLL.html
eagle
13 Jan 08, 01:12

Or you could use HiJackThis and paste the log file here to wait for our resident ant for help
ndmmxiaomayi
13 Jan 08, 01:23

Pretty sure it's Vundo, but until see signs of it, I won't be sure.

Read the sticky and post back the required log.
SBS9888Y
14 Jan 08, 14:44

Originally posted by eagle:
Or you could use HiJackThis and paste the log file here to wait for our resident ant for help
where to dl it?
SBS9888Y
14 Jan 08, 14:48

nm..its done

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\1 Click PC Fix\1clickpcfix.exe
C:\Program Files\1 Click PC Fix\1clickpcfix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [x1x5161x6] cserv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares .exe" -h
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Benjamin Chua\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Service Manager - Unknown owner - C:\WINDOWS\service.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\profsydyr.html
O24 - Desktop Component 1: (no name) - http://businfohub.com/images/stories/images/Volvo/B10BLE/sbs2989k_rear.jpg
O24 - Desktop Component 2: (no name) - http://businfohub.com/images/stories/images/Volvo/MK4/sbs0917g_317.jpg

--
End of file - 6892 bytes
ndmmxiaomayi
14 Jan 08, 14:51

Post the full log... don't strip anything from the log.

Remove only your username if you want your privacy.
Herzog_Zwei
14 Jan 08, 15:00

Originally posted by eagle:
Or you could use HiJackThis and paste the log file here to wait for our resident ant for help
You mean the one crawling on your laptop screen?
SBS9888Y
14 Jan 08, 19:41

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:59, on 14/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\qjfmyjmc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [x1x5161x6] cserv.exe
O4 - HKLM\..\Run: [942ef655] rundll32.exe "C:\WINDOWS\system32\rblfohiv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares .exe" -h
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Benjamin Chua\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\qjfmyjmc.exe
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Service Manager - Unknown owner - C:\WINDOWS\service.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\profsydyr.html
O24 - Desktop Component 1: (no name) - http://businfohub.com/images/stories/images/Volvo/B10BLE/sbs2989k_rear.jpg
O24 - Desktop Component 2: (no name) - http://businfohub.com/images/stories/images/Volvo/MK4/sbs0917g_317.jpg

--
End of file - 6964 bytes
SBS9888Y
14 Jan 08, 20:07

halfway when im using..the virus keeps opening more Internet Explorer windows with Blank Page...getting very annoying den com lags..open Task Manager, press End Task for all of it..den it stops..but after 15mins or so..it happens again...
ndmmxiaomayi
14 Jan 08, 20:45

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Please post back the Combofix log and a new HijackThis log.

Combofix log can be in C:\Combofix.txt
SBS9888Y
15 Jan 08, 15:02
ComboFix Log:

ComboFix 08-01-15.4 - 2008-01-15 14:39:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.578 [GMT 8:00]
Running from: C:\Documents and Settings\Benjamin Chua\Desktop\My Gadgets\Setups\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Benjamin Chua\Application Data\DriveCleaner Freeware
C:\Documents and Settings\Benjamin Chua\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\Benjamin Chua\Application Data\FunWebProducts
C:\Documents and Settings\Benjamin Chua\Application Data\FunWebProducts\Data\Benjamin Chua\avatar.dat
C:\Documents and Settings\Benjamin Chua\Application Data\FunWebProducts\Data\Benjamin Chua\zbucks.dat
C:\Documents and Settings\Benjamin Chua\Application Data\macromedia\Flash Player\#SharedObjects\QGL7RUAX\www.broadcaster.com
C:\Documents and Settings\Benjamin Chua\Application Data\macromedia\Flash Player\#SharedObjects\QGL7RUAX\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Benjamin Chua\Application Data\macromedia\Flash Player\#SharedObjects\QGL7RUAX\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Benjamin Chua\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Benjamin Chua\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Ares\Ares .exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\ComPlus Applications\lavupax.dll
C:\Program Files\ComPlus Applications\lavupax395.dll
C:\Program Files\ComPlus Applications\lavupax963.dll
C:\Program Files\ComPlus Applications\profsydyr.html
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\001073EA.urr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\b.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\aifvguib.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bqlfqbvp.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddccc.exe
C:\WINDOWS\system32\djtkrgpu.dll
C:\WINDOWS\system32\djtkrgpu.dllbox
C:\WINDOWS\system32\efcawvs.dll
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
C:\WINDOWS\system32\ipgsbddv .exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.exe
C:\WINDOWS\system32\ppiqkqjq.ini
C:\WINDOWS\system32\qjfmyjmc.exe
C:\WINDOWS\system32\qjqkqipp.dll
C:\WINDOWS\system32\qnapinfr.dll
C:\WINDOWS\system32\rblfohiv.dll
C:\WINDOWS\system32\sys_dll.dll
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\uusobvhf.dll
C:\WINDOWS\system32\vihoflbr.ini
C:\WINDOWS\system32\vqgmsocx.dll
C:\WINDOWS\system32\vqgmsocx.dllbox
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\Fonts\'
code:
```
 
C:\Program Files\Ares\Ares .exe ---> Ares.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> MsnMsgr.Exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\ipgsbddv .exe ---> QooBox
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE ---> QooBox
 
```
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
-------\nm

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 14:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 14:40 . 2008-01-14 14:49 d-------- C:\Program Files\1 Click PC Fix
2008-01-14 14:40 . 2008-01-14 14:40 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-14 14:40 . 2001-08-17 00:00 494,352 --a------ C:\WINDOWS\system32\SHDOC401.DLL
2008-01-14 14:40 . 2000-05-22 15:58 83,144 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-01-14 14:40 . 2007-12-19 16:12 53,248 --a------ C:\WINDOWS\system32\ArmAccess.dll
2008-01-13 19:09 . 2008-01-13 19:09 337,920 --a------ C:\WINDOWS\system32\RCX280.tmp
2008-01-13 17:56 . 2008-01-14 20:41 413,184 --a------ C:\WINDOWS\system32\ipgsbddv.exe
2008-01-12 22:38 . 2008-01-12 22:38 d-------- C:\Program Files\Trojan Guarder Gold Version
2008-01-12 16:54 . 2008-01-12 18:31 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-01-12 15:49 . 2008-01-12 15:49 d-------- C:\Documents and Settings\Benjamin Chua\Incomplete
2008-01-12 15:43 . 2008-01-12 16:05 329,029 --a------ C:\WINDOWS\system32\viwc .exe
2008-01-12 14:43 . 2008-01-12 14:43 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-12 14:40 . 2008-01-12 14:40 4,128 --a------ C:\INFCACHE.1
2008-01-12 14:31 . 2008-01-12 18:26 d--hs---- C:\WINDOWS\QmVuamFtaW4gQ2h1YQ
2008-01-12 14:30 . 2008-01-12 14:30 d-------- C:\WINDOWS\system32\vu3
2008-01-12 14:30 . 2008-01-12 14:30 d-------- C:\WINDOWS\system32\jd7
2008-01-12 14:30 . 2008-01-12 14:30 d-------- C:\WINDOWS\system32\io4
2008-01-12 14:30 . 2008-01-12 14:30 d-------- C:\WINDOWS\system32\edcA18
2008-01-12 14:30 . 2008-01-12 16:09 d-------- C:\Temp
2008-01-08 13:24 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-08 13:23 . 2008-01-08 13:23 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-08 13:23 . 2008-01-08 13:23 20 --a------ C:\WINDOWS\Â˜Â˜
2008-01-08 13:22 . 2008-01-08 13:22 d-------- C:\Program Files\Windows Live Favorites
2008-01-05 08:14 . 2008-01-13 19:09 d-------- C:\Documents and Settings\abigail\Application Data\LimeWire
2007-12-31 10:08 . 2007-12-31 18:01 d-------- C:\Program Files\Thoosje Sidebar V2.3
2007-12-31 07:32 . 2007-12-31 07:32 d-------- C:\Program Files\VisualTooltip
2007-12-31 07:32 . 2008-01-12 16:06 d-------- C:\Program Files\ViStart
2007-12-31 07:32 . 2008-01-12 16:04 d-------- C:\Program Files\Vista Sidebar
2007-12-31 07:32 . 2008-01-12 16:04 d-------- C:\Program Files\ViOrb
2007-12-31 07:32 . 2008-01-12 16:04 d-------- C:\Program Files\LClock
2007-12-31 07:32 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2007-12-31 07:32 . 2004-09-20 01:27 172,032 --a------ C:\WINDOWS\system32\LClock.cpl
2007-12-31 07:32 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2007-12-31 07:28 . 2007-12-31 07:28 76,214 --a------ C:\WINDOWS\Icon_2.ico
2007-12-27 19:17 . 2007-12-27 19:17 d-------- C:\Documents and Settings\abigail\Application Data\ViStart
2007-12-27 19:16 . 2007-12-27 19:16 d-------- C:\Documents and Settings\abigail\Application Data\Styler
2007-12-27 14:31 . 2007-12-27 14:32 d-------- C:\Documents and Settings\Benjamin Chua\Application Data\ViStart
2007-12-27 14:28 . 2008-01-12 16:06 d-------- C:\WINDOWS\system32\VIRepair
2007-12-27 14:28 . 2007-12-31 07:32 d-------- C:\Program Files\WinFlip
2007-12-27 14:28 . 2007-12-31 07:32 d-------- C:\Program Files\TrueTransparency
2007-12-27 14:28 . 2007-12-31 07:32 d-------- C:\Program Files\Styler
2007-12-27 14:28 . 2007-12-27 14:28 d-------- C:\Documents and Settings\Benjamin Chua\Application Data\Styler
2007-12-27 14:24 . 2007-12-31 07:32 d-------- C:\WINDOWS\system32\VITrans
2007-12-27 14:24 . 2007-12-31 10:02 d-------- C:\VTPFiles
2007-12-27 14:24 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-12-27 14:24 . 2007-12-27 14:24 78,942 --a------ C:\WINDOWS\Icon_1.ico
2007-12-27 14:24 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-12-27 14:24 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-12-27 12:08 . 2007-12-27 12:52 d-------- C:\Documents and Settings\abigail\Application Data\Creative
2007-12-26 12:27 . 2007-12-26 12:27 0 --a------ C:\WINDOWS\MOTO.INI
2007-12-26 12:24 . 2008-01-03 09:44 d-------- C:\MOTO
2007-12-25 15:28 . 2007-12-26 13:32 d-------- C:\Documents and Settings\abigail\Contacts
2007-12-25 08:20 . 2007-12-25 08:20 d-------- C:\Documents and Settings\abigail\Application Data\Yahoo!
2007-12-25 08:20 . 2007-12-25 08:20 d-------- C:\Documents and Settings\abigail\Application Data\ATI
2007-12-25 08:19 . 2006-10-16 17:48 d-------- C:\Documents and Settings\abigail\Application Data\Gtek
2007-12-24 14:38 . 2008-01-12 23:45 d-------- C:\Program Files\LimeWire
2007-12-24 13:32 . 2008-01-15 14:56 d-------- C:\Program Files\Ares
2007-12-17 23:34 . 2008-01-12 18:27 d-------- C:\BackUpMSNCleaner
2007-12-17 12:25 . 2006-10-16 17:48 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-12-17 07:34 . 2007-12-17 07:34 d-------- C:\Program Files\Comodo
2007-12-17 07:34 . 2007-12-17 07:34 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-12-17 07:34 . 2008-01-12 22:36 434,252 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-17 07:34 . 2008-01-12 22:36 216,576 --a------ C:\WINDOWS\system32\monln.dll
2007-12-15 11:20 . 2007-12-15 11:20 d-------- C:\WINDOWS\system32\bits
2007-12-15 11:19 . 2007-03-29 20:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2007-12-15 11:19 . 2007-03-29 20:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2007-12-15 11:19 . 2007-03-29 20:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-12-15 11:19 . 2007-03-29 20:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2007-12-15 11:19 . 2007-03-29 20:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-12-15 11:19 . 2007-03-29 20:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 06:56 --------- d-----w C:\Program Files\MSN Messenger
2008-01-12 15:53 --------- d-----w C:\Program Files\Incomplete
2008-01-12 15:45 --------- d-----w C:\Documents and Settings\Benjamin Chua\Application Data\LimeWire
2008-01-09 09:24 --------- d-----w C:\Program Files\Windows Live
2008-01-08 05:22 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-08 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-27 09:30 --------- d-----w C:\Program Files\Yahoo!
2007-12-27 06:53 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-27 06:50 --------- d-----w C:\Program Files\KA
2007-12-26 05:31 --------- d-----w C:\Program Files\Google
2007-12-17 08:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-17 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-15 23:22 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-10-23 09:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-05-18 05:06 384 ----a-w C:\Documents and Settings\Benjamin Chua\Application Data\internaldb6334.dat
2007-05-18 05:06 194 ----a-w C:\Documents and Settings\Benjamin Chua\Application Data\internaldb8467.dat
2007-05-18 05:06 18,432 ----a-w C:\Documents and Settings\Benjamin Chua\Application Data\internaldb41.dat
2006-07-07 06:23 567,711 ----a-w C:\Program Files\vbalink172l.zip
2007-08-11 04:46 615,878 --sha-w C:\WINDOWS\system32\ihhkj.bak1
2007-08-25 06:25 634,447 --sha-w C:\WINDOWS\system32\lmllm.bak1
.
code:
```
----a-w            45,056 2008-01-12 08:05:15  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w            81,920 2008-01-12 08:05:11  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           221,184 2008-01-12 07:42:28  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w           102,400 2008-01-12 08:05:29  C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
----a-w            98,304 2008-01-12 08:05:08  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w            36,975 2008-01-12 08:05:05  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w            65,536 2008-01-12 08:05:31  C:\Program Files\LClock\LClock .exe
----a-w         1,121,792 2008-01-12 08:05:17  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           163,840 2008-01-12 08:05:42  C:\Program Files\ViOrb\ViOrb .exe
----a-w           524,288 2008-01-12 08:05:32  C:\Program Files\Vista Sidebar\sidebar .exe
----a-w           593,920 2008-01-12 08:05:34  C:\Program Files\ViStart\ViStart .exe
----a-w         5,724,184 2008-01-12 08:05:28  C:\Program Files\Windows Live\Messenger\MsnMsgr  .Exe
----a-w           278,549 2008-01-12 08:05:19  C:\WINDOWS\Fonts\svchost .exe
----a-w           329,029 2008-01-12 08:05:44  C:\WINDOWS\system32\viwc .exe
----a-w           122,940 2008-01-12 08:05:08  C:\WINDOWS\system32\DLA\DLACTRLW .EXE
```
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E432C2C0-D8F3-41BD-B94A-869F7C90F28E}]
C:\WINDOWS\system32\jkhhi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-15 14:31 5674352]
"ares"="C:\Program Files\Ares\Ares .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"x1x5161x6"="cserv.exe" []

C:\Documents and Settings\abigail\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-11 02:08:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Trojan Guarder Gold Version.lnk - C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe [2007-12-21 21:17:14]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvvur]
byxvvur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhi]
C:\WINDOWS\system32\jkhhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhhgh]
jkkhhgh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllml]
C:\WINDOWS\system32\mllml.dll

S2 EraserSvc10732;Symantec Eraser Service;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" []
S2 Service Manager;Service Manager;"C:\WINDOWS\service.exe" []
S3 pfsvgae;pfsvgae;C:\DOCUME~1\BENJAM~1\LOCALS~1\Temp\pfsvgae.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:53:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 14:58:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 15:00:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 07:00:37
.
2008-01-09 06:26:16 --- E O F ---
SBS9888Y
15 Jan 08, 15:04

thanks its back to normal

heres the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:37, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E432C2C0-D8F3-41BD-B94A-869F7C90F28E} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [x1x5161x6] cserv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares .exe" -h
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Benjamin Chua\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: byxvvur - byxvvur.dll (file missing)
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)
O20 - Winlogon Notify: jkkhhgh - jkkhhgh.dll (file missing)
O20 - Winlogon Notify: mllml - C:\WINDOWS\system32\mllml.dll (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Service Manager - Unknown owner - C:\WINDOWS\service.exe (file missing)
O24 - Desktop Component 1: (no name) - http://businfohub.com/images/stories/images/Volvo/MK4/sbs0917g_317.jpg

--
End of file - 7018 bytes

thank you so much
ndmmxiaomayi
15 Jan 08, 15:11
Please go to Virus Total or Jotti and upload C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe for scanning.

For Virus Total
For Jotti
Repeat for this file: C:\WINDOWS\system32\viwc .exe

Post back the scan results of these 2 files.
ceecookie
11 Feb 08, 20:10

Ah..Ben right?
ndmmxiaomayi
12 Feb 08, 19:45

????