Hi everyone:

My computer is afected with Websiteviewer this afternoon. It creats a folder at C:\Program Files\WebSiteViewer with some 126376.exe and 126376.dlr files inside(maybe that's it's number!!)

Besides,everytime when I bootup, a dial program (tibs41) shows up. And it blocks my Task Manager!!


Logfile of HijackThis v1.99.1
Scan saved at 上午 01:19:00, on 2005/5/16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\ttplorer.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijeckthis\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {1D97C19C-1611-423C-AABA-D4AB0B6ADDCA} - C:\WINDOWS\System32\elfl.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Scvhost] C:\WINDOWS\System32\ttplorer.exe
O4 - HKLM\..\Run: [sys_Runtt1] C:\Program Files\explorer.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - D:\program\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - D:\program\DSLite2\dl_url.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - D:\program\DSLite2\DSLite.exe
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - D:\program\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://powdersearch.com/gall.php?url=
O13 - WWW Prefix: http://powdersearch.com/gall.php?url=
O13 - Home Prefix: http://powdersearch.com/gall.php?url=
O13 - Mosaic Prefix: http://powdersearch.com/gall.php?url=
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\Painter 7\Help\wwhelp2.cab
O16 - DPF: {04A802AE-A749-5D72-0068-08FA7EB7D67A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0BCC98C6-B289-5661-900F-7D5329C3CE10} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0D7BCB93-4BE5-48A9-7318-08C94C8D158B} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0E7B49E4-1CD1-0592-D039-32E76BDB7821} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {10AFE453-0B21-0328-D236-21A31380FDCD} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {1165D61D-715E-3374-5C7E-2BB52B1BA972} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {22FF6B85-FEB6-4D1B-F07E-131F7670A994} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33B757BC-CBA2-4875-6C3C-607652DD9111} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33C6383A-D4DB-02DA-19A0-45907AA8F60E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {34213680-ACBC-7A91-153E-5273191760AE} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {394A5EA8-E5A7-1AA2-D2F7-20266CE2009A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {3C66CCBA-8777-4E95-E2F6-208C7345F570} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {400508E5-5F36-46CF-609E-67B63B99C6C2} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4261F3F1-E8AF-23D3-4448-1E3C7B299D34} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4456BD54-08EC-52A1-2DD0-54BC451F1074} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {508A645D-DE13-4D25-AA35-6F483FB796C7} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {595979C3-B0FB-6F9C-7B49-41145EB57318} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {5CF84680-14FE-6871-1A90-609557347B14} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {69BD77F2-3929-046E-B5B0-12886EC60AF8} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {79A29694-F967-7952-04E2-4C822C6B7C2D} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7A22408C-D119-748D-9018-2C2C700F680E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7DE2FE50-FBDB-1BBF-7E95-2CC75C5C9146} - http://69.50.182.94/1/rdgTW1953.exe
O18 - Filter: text/html - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O18 - Filter: text/plain - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Is your Norton antivirus up to date? If so, does it detect anything?
Let's see what we can do for you.


Make sure that you can VIEW ALL HIDDEN FILES. (http://www.short-media.com/forum/showpost.php?p=172588&postcount=3)

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {1D97C19C-1611-423C-AABA-D4AB0B6ADDCA} - C:\WINDOWS\System32\elfl.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O4 - HKLM\..\Run: [Scvhost] C:\WINDOWS\System32\ttplorer.exe
O4 - HKLM\..\Run: [sys_Runtt1] C:\Program Files\explorer.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O13 - DefaultPrefix: http://powdersearch.com/gall.php?url=
O13 - WWW Prefix: http://powdersearch.com/gall.php?url=
O13 - Home Prefix: http://powdersearch.com/gall.php?url=
O13 - Mosaic Prefix: http://powdersearch.com/gall.php?url=
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\Painter 7\Help\wwhelp2.cab
O16 - DPF: {04A802AE-A749-5D72-0068-08FA7EB7D67A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0BCC98C6-B289-5661-900F-7D5329C3CE10} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0D7BCB93-4BE5-48A9-7318-08C94C8D158B} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0E7B49E4-1CD1-0592-D039-32E76BDB7821} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {10AFE453-0B21-0328-D236-21A31380FDCD} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {1165D61D-715E-3374-5C7E-2BB52B1BA972} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {22FF6B85-FEB6-4D1B-F07E-131F7670A994} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33B757BC-CBA2-4875-6C3C-607652DD9111} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33C6383A-D4DB-02DA-19A0-45907AA8F60E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {34213680-ACBC-7A91-153E-5273191760AE} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {394A5EA8-E5A7-1AA2-D2F7-20266CE2009A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {3C66CCBA-8777-4E95-E2F6-208C7345F570} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {400508E5-5F36-46CF-609E-67B63B99C6C2} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4261F3F1-E8AF-23D3-4448-1E3C7B299D34} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4456BD54-08EC-52A1-2DD0-54BC451F1074} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {508A645D-DE13-4D25-AA35-6F483FB796C7} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {595979C3-B0FB-6F9C-7B49-41145EB57318} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {5CF84680-14FE-6871-1A90-609557347B14} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {69BD77F2-3929-046E-B5B0-12886EC60AF8} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {79A29694-F967-7952-04E2-4C822C6B7C2D} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7A22408C-D119-748D-9018-2C2C700F680E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7DE2FE50-FBDB-1BBF-7E95-2CC75C5C9146} - http://69.50.182.94/1/rdgTW1953.exe
O18 - Filter: text/html - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O18 - Filter: text/plain - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll


Reboot your computer into SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\drexinit.dll
C:\WINDOWS\nem220.dll
C:\WINDOWS\System32\elfl.dll
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\elfl.dll
C:\WINDOWS\System32\ttplorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System\svchost.exe [I]<-- only delete the file in this location
C:\Program Files\explorer.exe <-- only delete the file in this location
C:\Program Files\Internet Optimizer
C:\Program Files\AutoUpdate


Reboot your computer to go back to normal mode.


Please download and install A-Squared. You will have to register with them in order to install the updates, but it's free. Once updated, run a full scan and remove everything that is found.

http://www.majorgeeks.com/download4281.html



Reboot and post a new hijackthis log.