Discussion in 'Windows - Virus and spyware problems' started by shin10, Jun 12, 2007.

    Jun 12, 2007
    SomeboDy.. PleaSe HelP me to remove adservise trojan.. i already try fix it with some anti spyware program.. but it still come and doen's work at all...

    Here the logfile from hijackthis..

    Logfile of HijackThis v1.99.1
    Scan saved at 6:37:11 PM, on 6/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Ringz Studio\Storm Codec\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Bit Lord 1.1\BitLord.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [j1201235] rundll32 C:\WINDOWS\system32\j1201235.dll sook
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\lpxxiurc.dll",realset
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Body User] C:\DOCUME~1\Budiarto\APPLIC~1\PUREAT~1\mapi cast 32.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Search -
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Budiarto\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone:
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    Jun 12, 2007
    Here is the log with spyware doctor scan.. it already uptodate..

    Hope somebody can help me...

    Tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts file scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner

    Infection Name Location Risk
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR## High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##BPTV High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High
    Adservice Scanner HKLM\SOFTWARE\Microsoft\MSSMGR##PSTV High
    Feb 8, 2007
    Hi, with these instructions we can clean you computer! Do not fix anything by yourself!!

    Step 1: You aren't running Firewall Software. Please download and install one of them first!

    use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound/outbound not sure). Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
    I use ZoneAlarm Free Edition (which is free for personal use) but you might just prefer something different!

    As you did this, we can begin with the fix.

    Step 2: Download and Run: VundoFix
    Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * Click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Step 3: Download and Run NoLop
    Please Download NoLop to your desktop from one of the links below...
    Link 1
    Link 2
    Link 3

    * First close any other programs you have running as this will require a reboot
    * Double click NoLop.exe to run it.
    * Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    * When scanning is finished you will be prompted to reboot only if infected, Click OK
    * Now click the "REBOOT" Button.
    * A Message should popup from NoLop. If not, double click the program again and it will finish.
    * Please post the contents of C:\NoLop.log later.

    Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.

    Step 4: Post these logfiles to your next reply.

    1. C:\vundofix.txt

    2. fresh HijackThis log

    3. C:\NoLop.log
    Jun 12, 2007
    Thank for reply. Here the result of vundofix..
    during the reboot i encounter some problem, finally all my screen become blue, and it wrote dump physical memory.. what's that mean?

    VundoFix V6.5.0

    Checking Java version...

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is

    Scan started at 2:24:29 AM 6/13/2007

    Listing files found while scanning....


    Beginning removal...

    Attempting to delete C:\windows\system32\destxdxe.exe
    C:\windows\system32\destxdxe.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\esagysxb.dll
    C:\WINDOWS\system32\esagysxb.dll Has been deleted!

    Attempting to delete C:\windows\system32\etxioxhe.exe
    C:\windows\system32\etxioxhe.exe Has been deleted!

    Attempting to delete C:\windows\system32\fgjlm.bak1
    C:\windows\system32\fgjlm.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\fgjlm.bak2
    C:\windows\system32\fgjlm.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\fgjlm.ini
    C:\windows\system32\fgjlm.ini Has been deleted!

    Attempting to delete C:\windows\system32\fgjlm.ini2
    C:\windows\system32\fgjlm.ini2 Has been deleted!

    Attempting to delete C:\windows\system32\hakjddcj.ini
    C:\windows\system32\hakjddcj.ini Has been deleted!

    Attempting to delete C:\windows\system32\ikqnkoej.dll
    C:\windows\system32\ikqnkoej.dll Has been deleted!

    Attempting to delete C:\windows\system32\j1201235.dll
    C:\windows\system32\j1201235.dll Could not be deleted.

    Attempting to delete C:\windows\system32\jcddjkah.dll
    C:\windows\system32\jcddjkah.dll Has been deleted!

    Attempting to delete C:\windows\system32\jeoknqki.ini
    C:\windows\system32\jeoknqki.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\system32\mljgf.dll Has been deleted!

    Attempting to delete C:\windows\system32\ngwqiqqf.dll
    C:\windows\system32\ngwqiqqf.dll Has been deleted!

    Attempting to delete C:\windows\system32\nsklntnt.ini
    C:\windows\system32\nsklntnt.ini Has been deleted!

    Attempting to delete C:\windows\system32\nvwpfkwl.exe
    C:\windows\system32\nvwpfkwl.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qdvlhjko.dll
    C:\WINDOWS\system32\qdvlhjko.dll Has been deleted!

    Attempting to delete C:\windows\system32\qrutv.ini
    C:\windows\system32\qrutv.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rqrrsqq.dll
    C:\WINDOWS\system32\rqrrsqq.dll Could not be deleted.

    Attempting to delete C:\windows\system32\rxmxopgw.exe
    C:\windows\system32\rxmxopgw.exe Has been deleted!

    Attempting to delete C:\windows\system32\tcwgjbti.exe
    C:\windows\system32\tcwgjbti.exe Has been deleted!

    Attempting to delete C:\windows\system32\tntnlksn.dll
    C:\windows\system32\tntnlksn.dll Has been deleted!

    Attempting to delete C:\windows\system32\tongujho.exe
    C:\windows\system32\tongujho.exe Has been deleted!

    Attempting to delete C:\windows\system32\vturq.dll
    C:\windows\system32\vturq.dll Has been deleted!

    Performing Repairs to the registry.

    Beginning removal...

    VundoFix V6.5.0

    Checking Java version...

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is

    Scan started at 2:39:16 AM 6/13/2007

    Listing files found while scanning....


    Beginning removal...

    Attempting to delete C:\windows\system32\j1201235.dll
    C:\windows\system32\j1201235.dll Could not be deleted.

    Attempting to delete C:\windows\system32\rqrrsqq.dll
    C:\windows\system32\rqrrsqq.dll Has been deleted!

    Performing Repairs to the registry.

    Beginning removal...

    Attempting to delete C:\windows\system32\j1201235.dll
    C:\windows\system32\j1201235.dll Has been deleted!

    Performing Repairs to the registry.

    here the hijackthis result

    Logfile of HijackThis v1.99.1
    Scan saved at 3:00:16 AM, on 6/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Ringz Studio\Storm Codec\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (file missing)
    O2 - BHO: (no name) - {31D1519F-4D2D-48A2-8D54-18D94D072E6C} - C:\WINDOWS\system32\mljgf.dll (file missing)
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {7FD8AFB7-440C-8EC7-AD7D-F20EBACE0ACD} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ngwqiqqf.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [j1201235] rundll32 C:\WINDOWS\system32\j1201235.dll sook
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ygbiqrnu.dll",realset
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Body User] C:\DOCUME~1\Budiarto\APPLIC~1\PUREAT~1\mapi cast 32.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Search -
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Budiarto\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone:
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    So, how the result... is it okay now.. ANyway thank for helping me.. ^^
    Need ur reply as soon as possible.. ^^
    Feb 8, 2007
    C:\Nolop.log ??
    Jun 12, 2007
    It said didn't found anything error..(in nolog)

    And here the log.

    NoLop! Log by Skate_Punk_21

    Fix running from: C:\Documents and Settings\Budiarto\Desktop
    [3:07:29 AM]

    ---Infection Files Found/Removed---
    NO INFECTION FILES FOUND - Cleaning Aborted.

    ---Listing AppData sub directories---

    C:\Documents and Settings\Administrator\Application Data\Identities
    C:\Documents and Settings\Administrator\Application Data\Intertrust
    C:\Documents and Settings\Administrator\Application Data\Microsoft
    C:\Documents and Settings\Administrator\Application Data\Sun
    C:\Documents and Settings\Administrator\Application Data\Symantec -- EMPTY Directory
    C:\Documents and Settings\Administrator\Application Data\Toshiba
    C:\Documents and Settings\All Users\Application Data\Adobe
    C:\Documents and Settings\All Users\Application Data\Adobe Systems
    C:\Documents and Settings\All Users\Application Data\Apple Computer
    C:\Documents and Settings\All Users\Application Data\Avg7 -- EMPTY Directory
    C:\Documents and Settings\All Users\Application Data\Corel
    C:\Documents and Settings\All Users\Application Data\Ea
    C:\Documents and Settings\All Users\Application Data\Installshield
    C:\Documents and Settings\All Users\Application Data\Iwin
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    C:\Documents and Settings\All Users\Application Data\Legacy Interactive
    C:\Documents and Settings\All Users\Application Data\Mcafee
    C:\Documents and Settings\All Users\Application Data\Messenger Plus!
    C:\Documents and Settings\All Users\Application Data\Microsoft
    C:\Documents and Settings\All Users\Application Data\Microsoft Help
    C:\Documents and Settings\All Users\Application Data\Mumbojumbo
    C:\Documents and Settings\All Users\Application Data\Part Bolt 16 Loud
    C:\Documents and Settings\All Users\Application Data\Playfirst
    C:\Documents and Settings\All Users\Application Data\Sandlot Games
    C:\Documents and Settings\All Users\Application Data\Sbsi
    C:\Documents and Settings\All Users\Application Data\Sony Ericsson
    C:\Documents and Settings\All Users\Application Data\Starware349
    C:\Documents and Settings\All Users\Application Data\Symantec
    C:\Documents and Settings\All Users\Application Data\Teleca
    C:\Documents and Settings\All Users\Application Data\Trymedia
    C:\Documents and Settings\All Users\Application Data\Udl
    C:\Documents and Settings\All Users\Application Data\Whitecap (holiday Edition) -- EMPTY Directory
    C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    C:\Documents and Settings\All Users\Application Data\Yahoo!
    C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    C:\Documents and Settings\Budiarto\Application Data\Adobe
    C:\Documents and Settings\Budiarto\Application Data\Adobeum -- EMPTY Directory
    C:\Documents and Settings\Budiarto\Application Data\Ahead
    C:\Documents and Settings\Budiarto\Application Data\Apple Computer
    C:\Documents and Settings\Budiarto\Application Data\Azureus
    C:\Documents and Settings\Budiarto\Application Data\Corel
    C:\Documents and Settings\Budiarto\Application Data\Ea
    C:\Documents and Settings\Budiarto\Application Data\ -- EMPTY Directory
    C:\Documents and Settings\Budiarto\Application Data\Gaijin Ent
    C:\Documents and Settings\Budiarto\Application Data\Google
    C:\Documents and Settings\Budiarto\Application Data\Grouper Networks
    C:\Documents and Settings\Budiarto\Application Data\Hamachi
    C:\Documents and Settings\Budiarto\Application Data\Help -- EMPTY Directory
    C:\Documents and Settings\Budiarto\Application Data\Identities
    C:\Documents and Settings\Budiarto\Application Data\Imvu
    C:\Documents and Settings\Budiarto\Application Data\Installshield
    C:\Documents and Settings\Budiarto\Application Data\Intertrust
    C:\Documents and Settings\Budiarto\Application Data\Intervideo
    C:\Documents and Settings\Budiarto\Application Data\Iwin
    C:\Documents and Settings\Budiarto\Application Data\Lavasoft -- EMPTY Directory
    C:\Documents and Settings\Budiarto\Application Data\Lct
    C:\Documents and Settings\Budiarto\Application Data\Macromedia
    C:\Documents and Settings\Budiarto\Application Data\Mathworks
    C:\Documents and Settings\Budiarto\Application Data\Mcafee
    C:\Documents and Settings\Budiarto\Application Data\Media Player Classic
    C:\Documents and Settings\Budiarto\Application Data\Megaupload
    C:\Documents and Settings\Budiarto\Application Data\Megauploadtoolbar
    C:\Documents and Settings\Budiarto\Application Data\Microsoft
    C:\Documents and Settings\Budiarto\Application Data\Mozilla
    C:\Documents and Settings\Budiarto\Application Data\Nikon
    C:\Documents and Settings\Budiarto\Application Data\Opera
    C:\Documents and Settings\Budiarto\Application Data\Pc Tools
    C:\Documents and Settings\Budiarto\Application Data\Playfirst
    C:\Documents and Settings\Budiarto\Application Data\Real
    C:\Documents and Settings\Budiarto\Application Data\Siteadvisor -- EMPTY Directory
    C:\Documents and Settings\Budiarto\Application Data\Skype
    C:\Documents and Settings\Budiarto\Application Data\Sonic
    C:\Documents and Settings\Budiarto\Application Data\Sony Ericsson
    C:\Documents and Settings\Budiarto\Application Data\Starware349
    C:\Documents and Settings\Budiarto\Application Data\Sun
    C:\Documents and Settings\Budiarto\Application Data\Symantec
    C:\Documents and Settings\Budiarto\Application Data\Teleca
    C:\Documents and Settings\Budiarto\Application Data\Toshiba
    C:\Documents and Settings\Budiarto\Application Data\U3
    C:\Documents and Settings\Budiarto\Application Data\Utorrent
    C:\Documents and Settings\Budiarto\Application Data\Vlc
    C:\Documents and Settings\Budiarto\Application Data\Waysixth -- EMPTY Directory
    C:\Documents and Settings\Budiarto\Application Data\Webshots
    C:\Documents and Settings\Budiarto\Application Data\Xcelsius
    C:\Documents and Settings\Budiarto\Application Data\Yahoo!
    C:\Documents and Settings\Default User\Application Data\Identities
    C:\Documents and Settings\Default User\Application Data\Intertrust
    C:\Documents and Settings\Default User\Application Data\Microsoft
    C:\Documents and Settings\Default User\Application Data\Sun
    C:\Documents and Settings\Default User\Application Data\Symantec -- EMPTY Directory
    C:\Documents and Settings\Default User\Application Data\Toshiba
    C:\Documents and Settings\Localservice\Application Data\Microsoft
    C:\Documents and Settings\Localservice\Application Data\Webroot
    C:\Documents and Settings\Networkservice\Application Data\Microsoft
    C:\Documents and Settings\Networkservice\Application Data\Symantec
    C:\Documents and Settings\Networkservice\Application Data\Webroot

    Hmm can i ask u about scvhost.exe is it a good or bad?? is it already fix??
    Feb 8, 2007
    SCVHOST.exe is bad, but SVCHOST.exe is part of Windows, please be accurate with those names!

    However. Let's continue. Stop using Internet Explorer, because it's totally shit. Prefer Firefox

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    * Install AVG Anti-Spyware by double clicking the installer.
    * Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    * On the main screen under Your Computer's security.
    * Click on Change state next to Resident shield. It should now change to inactive.
    * Click on Change state next to Automatic updates. It should now change to inactive.
    * Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    * Wait until you see the Update succesfull message.
    * Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
    If AVG doesn't work in Safemode, please use this patchfile to make it work.
    * Click Start
    * Click Control Panel
    * Double-click Add or Remove Program
    * Find and remove this program if found:


    Run HijackThis
    Click on do a system scan only
    Place a checkmark next to these lines(if still present)

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (file missing)
    O2 - BHO: (no name) - {31D1519F-4D2D-48A2-8D54-18D94D072E6C} - C:\WINDOWS\system32\mljgf.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {7FD8AFB7-440C-8EC7-AD7D-F20EBACE0ACD} - (no file)
    O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ngwqiqqf.dll (file missing)
    O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [j1201235] rundll32 C:\WINDOWS\system32\j1201235.dll sook
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ygbiqrnu.dll",realset
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Body User] C:\DOCUME~1\Budiarto\APPLIC~1\PUREAT~1\mapi cast 32.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search -
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

    Then close all windows except Hijackthis and click Fix Checked

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
    This program is for XP and Windows 2000 only!

    Double-click ATF Cleaner.exe to open it.

    Under Main select the following:

    * Windows Temp
    * Current User Temp
    * All Users Temp
    * Temporary Internet Files
    * Prefetch
    * Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    [*]Go to Start > My Computer
    [*]Go to Tools > Folder Options
    [*]Click on the View tab
    [*]Untick the following:

    [*]Hide extensions for known file types
    [*]Hide protected operating system files (Recommended)

    [*]You will get a message warning you about showing protected operating system files, click Yes
    [*]Make sure this option is selected:
    • Show hidden files and folders
    • Click Apply and then click OK

      Restart your computer to Safe Mode.

      1. If the computer is running, shut down Windows, and then turn off the power.
      2. Wait 30 seconds, and then turn the computer on.
      3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
      4. Ensure that the Safe Mode option is selected.
      5. Press Enter. The computer then begins to start in Safe Mode.
      6. Login on your usual account.

      When in Safemode, please find and remove these: (if still present)

      C:\Program Files\MyWebSearch FOLDER

      Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
      * Click on Scanner on the toolbar.
      * Click on the Settings tab.
      * Under How to act?
      * Click on Recommended Action and choose Quarantine from the popup menu.
      * Under How to scan?
      * All checkboxes should be ticked.
      * Under Possibly unwanted software:
      * All checkboxes should be ticked.
      * Under Reports:
      * Select Automatically generate report after every scan and uncheck Only if threats were found.
      * Under What to scan?
      * Select Scan every file.
      * Click on the Scan tab.
      * Click on Complete System Scan to start the scan process.
      * Let the program scan the machine.
      * When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      * Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      * At the bottom of the window click on the Apply all Actions button. (3)
      * When done, click the Save Scan Report button. (4)
      * Click the Save Report as button.
      * Save the report to your Desktop.
      * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
      Reboot in Normal Mode.

      Please post fresh HijackThis log and AVG report.
    Jun 12, 2007
    Wow still a lot of think to do... thanks.. u explain it clearly...

    hmm before that, when everytime i start the windows (after the reboot) it said that
    error occur 1 file is missing which is C:\windows\system32\j1201235.dll
    what is that?? so what must i do about it??
    Feb 8, 2007
    Attempting to delete C:\windows\system32\j1201235.dll
    C:\windows\system32\j1201235.dll Has been deleted!

    That was part of Vundo.Trojan, but it's now deleted. Now if you can do those my previous instructions. I get back to you in morning, good night :)
    Jun 12, 2007
    ow yeah one more thing.. if i install the avg anti spyware.. how about the spyware doctor, should i just uninstall it??
    Feb 8, 2007
    It's up to you. I think AVG is better than spywaredoctor, but the choice is yours.

    If AVG doesn't work in safemode, please use this patchfile to make it work again. Save those instructions to notepad or word, because it's easier to you then
    Jun 12, 2007
    Good morning etzo... i still downloading updater of avg... my download rate is slow..

    i cannot remove the mywebsearch from control panel, it said specific module cannot be found.

    but i still can find the folder in program files.. should i just delete the folder as u mention in safe mode??
    Feb 8, 2007
    Yes. Just follow the instructions, please :)
    Jun 12, 2007
    I already done everthing.. but there is some problem..
    some files cannot be fix in hijackthis (i think about 2)..
    and i cannot save report in avg. i already done everything u said, but save report in transparant, so i cannot klik it..

    here the last hijackthis log
    Logfile of HijackThis v1.99.1
    Scan saved at 4:34:41 PM, on 6/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Ringz Studio\Storm Codec\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Budiarto\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone:
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Feb 8, 2007
    Can you do like this:

    Open AVG Anti-Spyware -> Click Reports -> See if there is any report. -> If there is, please copy+paste it to here.

    Or can you tell/do you remember what AVG found?


    Your HijackThis log looks clean!!

    But we have to update your Java, because of the Vundo-Trojans.

    Update Java
    Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

    * Download the latest version of Java(TM) SE Runtime Environment 6u1.
    * Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    * Click the "Download" button to the right.
    * Check the box that says: "Accept License Agreement".
    * The page will refresh.
    * Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    * Close any programs you may have running - especially your web browser.
    * Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    * Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    * Click the Remove or Change/Remove button.
    * Repeat as many times as necessary to remove each Java versions.
    * Reboot your computer once all Java components are removed.
    * Then from your desktop double-click on the download to install the newest version.
    Jun 12, 2007
    ow..k i will do the java soon..

    hmm there also no report in avg..but i can still see the quarantine link..What should i write down..
    C:\System Volume Information\_restore{A3B0AEB0~~\RP468\A0091640 --- Downloader.LoadAdv
    C:\same as top\A0081642.exe ---- Trojan.Dialer.qn
    same as top\A0081643.exe --Downloader.LoadAdv
    same as top\A0096105.exe --Trojan.Agent.anr
    A0096115 --
    A0096115, A0096118, A0096119, A0096121 infected with Trojan.Agent.anr

    C:\\Vundofix Backups\-- (infected with, and Trojan.Agent.anr)

    C:\WINDOWS\system32\dxdll\flooding.txt --- Backdoor.Zapchast.NY
    same as top \indent.txt --- Trojant.Zapchast.p
    same as top\updater.ini ---Backdoor.Zapchast.NY
    C:\WINDOWS\system32\winmbj32.dll ---Trojan.Dialer.qn

    And havehave 5 adware infection in VundoFixbackup, system volume informtion, HKLM\sofware\classes\clsid\{BE2ED~~, HKLM\SOFTWARE\, and HKU\Default\Softwqare\
    Feb 8, 2007
    Delete these folders:

    C:\\Vundofix Backups\

    Also there were some shit in the registery( and systemrestore (trojans)

    You should do yet these things:

    Download New.netfix.exe by Noahdfear.
    * Save it to your desktop.
    * Doubleclick it, and after that click Start to exract it to its own folder.
    * Open that new folder and doubleclick RunThis.bat
    * Follow instructions and please post to your next reply.

    After you have posted that logfile, you should enable/disable your systemrestore. Here are the instructions.

    After these you should be clean :)
    Jun 12, 2007
    Here the log: regsitry key fix

    by noahdfear ©2006

    checking for key not found!

    What i must do to the systemrestore? is it okay just diable and then enable it again?? how baout trojan inside that system?

    So what Protection that i must use for my computer?? should i always turn on the avgantispyware??
    Feb 8, 2007
    Good there were no New.Net anymore.

    Step 1:

    Your systemrestore point is full on "ugly shit"

    You see it from AVG's quarantinelist:

    "C:\System Volume Information\_restore{A3B0AEB0~~\RP468\A0091640 --- Downloader.LoadAdv
    C:\same as top\A0081642.exe ---- Trojan.Dialer.qn
    same as top\A0081643.exe --Downloader.LoadAdv
    same as top\A0096105.exe --Trojan.Agent.anr"

    When you disable that, they all disappears.

    * Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    Turn off System Restore.
    On the Desktop, right-click My Computer
    Click Properties
    Click the System Restore tab
    Check Turn off System Restore
    Click Apply, and then click OK


    Turn on System Restore.
    On the Desktop, right-click My Computer
    Click Properties
    Click the System Restore tab
    Uncheck Turn off System Restore
    Click Apply, and then click OK
    NOTE: only do this ONCE, NOT on a regular basis!


    Step 2:

    About protection..

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: (you don't have to do these all)

    * Make your Internet Explorer more secure - This can be done by following these simple instructions:
    * From within Internet Explorer click on the Tools menu and then click on Options.
    * Click once on the Security tab
    * Click once on the Internet icon so it becomes highlighted.
    * Click once on the Custom Level button.
    * Change the Download signed ActiveX controls to Prompt

    * Change the Download unsigned ActiveX controls to Disable

    * Change the Initialize and script ActiveX controls not marked as safe to Disable

    * Change the Installation of desktop items to Prompt

    * Change the Launching programs and files in an IFRAME to Prompt

    * Change the Navigate sub-frames across different domains to Prompt

    * When all these settings have been made, click on the OK button.

    * If it prompts you as to whether or not you want to save the settings, press the Yes button.
    * Next press the Apply button and then the OK to exit the Internet Properties page.
    * Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    * Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    * Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

    * Visit Microsoft's Windows Update Site Frequently - It is important that you visit regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    * Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    * Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for - Spybot S & D and Ad-aware

    * Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

    * Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    * IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to which is your local computer
    * Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    * Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

    Happy surfing and stay clean!
    Jun 12, 2007
    I already change the Java to new one, and already disable the systemrestore (i will enable it when i restart computer).. is it mean my case already over?? (so sad cannot chat with u again ^^)

    After all the step my storage become more.. before all this program i only have about 1giga left, but now it become 3gb.. i don't understand how can this happen, is it during th process 2gb files have been deleted.

    Anyway.. Thank a lot for helping me... aaa I'm really thankful...
    hmm if i'll decided using ad-aware and spyboot.. should i just uninstall the avg antispyware. (run of storage, i just have 40gb storage in the computer)
    is avast antivirus is good enough? and it also updated database automatically.

