I've just got hijackthis and let me post the log here:
=================================
Logfile of HijackThis v1.97.7
Scan saved at 02:19:57, on 2004/5/28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0\cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\Program Files\Comet\Bin\csbho.dll
O2 - BHO: (no name) - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} - C:\WINDOWS\System32\amcis.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\Program Files\Comet\Bin\csietb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\DaemonTools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series"
/O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: PUTTY.RND
O4 - Startup: sonique2.lnk
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download by FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} (CS15Cursor Class) -
http://files.cometsystems.com/cometcursor/comet.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -
http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = roots-servers.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = roots-servers.net
=================================
StartupList report, 2004/5/28, 02:21:40
StartupList version: 1.52
Started from : C:\Documents and Settings\Edward Lam\Desktop\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0\cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Edward Lam\Start Menu\Programs\Startup]
No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
InterVideo WinCinema Manager.lnk = C:\Program Files\Common\Bin\WinCinemaMgr.exe
Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
Panorama 32.lnk = C:\Panorama\Panorama.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
internat.exe = internat.exe
SystemTray = SysTray.Exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HTpatch = C:\WINDOWS\htpatch.exe
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
PowerS = C:\WINDOWS\PowerS.exe
Gnetmous = C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
DAEMON Tools-1033 = "C:\Program Files\DaemonTools\daemon.exe" -lang 1033 -lock
SysMetrix = C:\Program Files\SysMetrix\SysMetrix.exe
EPSON Stylus C41 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M
"Stylus C41"
WinDVR SchSvr = "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe"
PCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe"
TM Outbreak Agent = "C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=c:\windows\system32\explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\???~2.SCR
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
(no name) - C:\Program Files\NetTransport 2\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}
CSBHO - C:\Program Files\Comet\Bin\csbho.dll - {D14D6793-9B65-11D3-80B6-00500487BDBA}
(no name) - C:\WINDOWS\System32\amcis.dll - {EBBFE27C-BDF0-11D2-BBE5-00609419F467}
--------------------------------------------------
Enumerating Task Scheduler jobs:
{4534B56E-F714-49B9-88A4-D17155F5955B}_STAR_jerry.job
{46D2E58E-800F-4BBB-BB13-D4CE56B927C3}_DEFAULT_Edward Lam.job
{62B48773-03CE-46CE-8F2E-22F1B0B12599}_STAR_Administrator.job
{C3AFBAA2-85BF-4A33-BC10-A01A14E9AC41}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_DEFAULT_Edward Lam.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_Administrator.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_HomeUsers.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_STAR_jerry.job
--------------------------------------------------
Enumerating Download Program Files:
[CS15Cursor Class]
InProcServer32 = C:\Program Files\Comet\Bin\cscore.dll
CODEBASE =
http://files.cometsystems.com/cometcursor/comet.cab
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE =
http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE =
http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE =
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 7,322 bytes
Report generated in 0.032 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only