Hijacked Computer again - Log inside

Logfile of HijackThis v1.98.2
Scan saved at 11:34:38 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Herosoft\HeroV8\SysExplr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\SU\Download\Spyware\zerospyware\ZeroSpyware.exe
C:\SU\Download\Spyware\zerospyware\NetGuard.exe
C:\SU\Download\Banpopup\Banpopup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mfcoleui.exe
C:\SU\Download\Spyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Zhaohui Su\Application Data\Mozilla\Profiles\default\fglzdyte.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Zhaohui Su\Application Data\Mozilla\Profiles\default\fglzdyte.slt\prefs.js)
O2 - BHO: (no name) - {03BFBAA5-E303-4A06-85E9-0BB25D7BFFCF} - C:\WINDOWS\System32\mjnieac.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IDDTInitObj Class - {15DDE989-CD45-4561-BF99-D22C0D5C2B74} - C:\WINDOWS\Downlo~1\ddtinit.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SU\Download\Spyware\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: °Ù¶ÈËÑ°Ô - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O3 - Toolbar: ÐÂÀ˵ãµãͨ - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINDOWS\Downlo~1\DDTONG~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SysExplr] C:\Herosoft\HeroV8\SysExplr.EXE
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\System32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\RunOnce: [RemoveFileUAF] "C:\SU\Download\Spyware\zerospyware\FileDeleter.exe" C:\SU\Download\Spyware\zerospyware\uaf.dat
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mfcoleui] C:\WINDOWS\System32\mfcoleui.exe
O4 - HKCU\..\Run: [StartPage] C:\Documents and Settings\Zhaohui Su\Rundll32.exe
O4 - HKCU\..\Run: [ZeroSpyware] "C:\SU\Download\Spyware\zerospyware\ZeroSpyware.exe" -STARTUP
O4 - HKCU\..\Run: [NetGuard] "C:\SU\Download\Spyware\zerospyware\NetGuard.exe" -STARTUP
O4 - HKCU\..\Run: [Banpopup by Pratik] C:\SU\Download\Banpopup\Banpopup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: EasyRead Translate - C:\Program Files\Common Files\ImTOO\ER2002\TransAll.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: °Ù¶ÈFlashËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: °Ù¶Èmp3ËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: °Ù¶ÈËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: °Ù¶ÈͼƬËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: °Ù¶ÈÐÂÎÅËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: °Ù¶ÈÐÅÏ¢¿ìµÝËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: ºÀ½Ü³¬¼¶½â°ÔV8ʵʱ²¥·Å - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: EasyRead - {008B57BE-DA82-4b30-9A3E-D1A216A22939} - C:\Program Files\Common Files\ImTOO\ER2002\TransAll.html
O9 - Extra 'Tools' menuitem: EasyRead - {008B57BE-DA82-4b30-9A3E-D1A216A22939} - C:\Program Files\Common Files\ImTOO\ER2002\TransAll.html
O9 - Extra button: ºÀ½Ü³¬¼¶½â°ÔV8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: ºÀ½Ü³¬¼¶½â°ÔV8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: Dictionary - {b3d50f24-9482-4391-8c6a-976e8e3ec08d} - c:\pomidor\pomidor.exe (file missing)
O9 - Extra 'Tools' menuitem: &Dictionary - {b3d50f24-9482-4391-8c6a-976e8e3ec08d} - c:\pomidor\pomidor.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {080FCF65-DE33-3AC0-9884-512E0D1124E5} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {0CE81213-6804-77F3-E0EA-0EBE716C6B27} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {0E0F969B-49A7-7CD1-01AE-2FF142FB413A} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {10FE1E06-BD03-2F5D-690F-622E4A494A74} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15516895-FCAB-5824-7841-7A4B569A5C44} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {1C59DF15-AC91-7D1D-522D-4153792112F5} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1EE6A425-CFDA-4E1F-6511-69E32171A3B9} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {1F621F2C-29AC-5C96-50EC-6DE476F906F3} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {22C576DE-794E-2E83-4E42-7CBA4B23AA9B} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {325A3D77-F75B-07DB-FD2C-2E350DCD5089} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {360B0313-396A-167C-BE27-08F11A8B63B8} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {362A7E3C-4735-4A4E-E506-1AB6316C52E4} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4345F185-5E0D-44AD-BD2B-14227EFD21B2} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {46D19F7A-CA9C-19F1-11D9-07ED799E999E} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {48FA7A06-F253-28D5-CEA7-703361B78DF5} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4B95AE28-1FA3-67E3-A6F4-189C220C3102} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4D692D10-7E3D-76E6-4FB0-453533D97C7C} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4D7AF712-2559-66D3-D890-31671CC6D6D0} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {543759A7-970C-3DCB-F9D8-3CD870AB4378} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {59C8EBBB-F098-0329-D56B-44AC103A9BC1} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {5C5919CE-2022-48A3-4CEC-665575E62707} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {5D9946F3-B60A-4E06-21C8-1B0661707BA6} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {602D8789-CDF2-28CF-0116-6B215754F508} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095126959296
O16 - DPF: {67037395-E2BE-17AB-4615-5AAC5EA16FEB} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {692D7C0E-F2E1-15E2-24C1-64985BCB8868} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {6CC1381C-3F72-7C03-BD93-70AF4EEC7C9B} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {6F56F1BC-02E7-3C5C-BD60-0F6B629C64AB} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {709345D1-186B-4833-FB47-593F24D1F909} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {72086DA4-E7F0-6DF3-8245-297775D42EF6} - http://209.8.161.54/1/rdgUS1022.exe
O16 - DPF: {76221EC7-445A-5633-7BBD-00034CCD009E} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {78D971CB-C9BB-632B-509F-07E430E5133E} - http://66.117.42.151/1/rdgUS20.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ksu.edu,ksu.ksu.edu,telecom.ksu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ksu.edu,ksu.ksu.edu,telecom.ksu.edu

Thread split. It's better to create a new thread for each new problem rather than replying to someone else's thread.

Hi zsu,

You might want to print these instructions for reference, as you will be off the internet while using HijackThis.

In light of the recent infections, let's purge system restore.

Disable System Restore:

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

We will turn it back on when your system is clean.

Then....

Logoff your internet connection. Run HijackThis, close all browsers and any other windows, click scan, place a checkmark next to the following items. Click "fix checked".

O2 - BHO: (no name) - {03BFBAA5-E303-4A06-85E9-0BB25D7BFFCF} - C:\WINDOWS\System32\mjnieac.dll (file missing)
O2 - BHO: °Ù¶ÈËÑ°Ô - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O4 - HKCU\..\Run: [StartPage] C:\Documents and Settings\Zhaohui Su\Rundll32.exe
O8 - Extra context menu item: °Ù¶ÈFlashËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: °Ù¶Èmp3ËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: °Ù¶ÈËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: °Ù¶ÈͼƬËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: °Ù¶ÈÐÂÎÅËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: °Ù¶ÈÐÅÏ¢¿ìµÝËÑË÷ - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O16 - DPF: {080FCF65-DE33-3AC0-9884-512E0D1124E5} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {0CE81213-6804-77F3-E0EA-0EBE716C6B27} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {0E0F969B-49A7-7CD1-01AE-2FF142FB413A} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {10FE1E06-BD03-2F5D-690F-622E4A494A74} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15516895-FCAB-5824-7841-7A4B569A5C44} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {1C59DF15-AC91-7D1D-522D-4153792112F5} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1EE6A425-CFDA-4E1F-6511-69E32171A3B9} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {1F621F2C-29AC-5C96-50EC-6DE476F906F3} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {22C576DE-794E-2E83-4E42-7CBA4B23AA9B} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {325A3D77-F75B-07DB-FD2C-2E350DCD5089} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {360B0313-396A-167C-BE27-08F11A8B63B8} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {362A7E3C-4735-4A4E-E506-1AB6316C52E4} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4345F185-5E0D-44AD-BD2B-14227EFD21B2} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {46D19F7A-CA9C-19F1-11D9-07ED799E999E} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {48FA7A06-F253-28D5-CEA7-703361B78DF5} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4B95AE28-1FA3-67E3-A6F4-189C220C3102} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4D692D10-7E3D-76E6-4FB0-453533D97C7C} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {4D7AF712-2559-66D3-D890-31671CC6D6D0} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {543759A7-970C-3DCB-F9D8-3CD870AB4378} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {59C8EBBB-F098-0329-D56B-44AC103A9BC1} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {5C5919CE-2022-48A3-4CEC-665575E62707} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {5D9946F3-B60A-4E06-21C8-1B0661707BA6} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {602D8789-CDF2-28CF-0116-6B215754F508} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {67037395-E2BE-17AB-4615-5AAC5EA16FEB} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {692D7C0E-F2E1-15E2-24C1-64985BCB8868} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {6CC1381C-3F72-7C03-BD93-70AF4EEC7C9B} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {6F56F1BC-02E7-3C5C-BD60-0F6B629C64AB} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {709345D1-186B-4833-FB47-593F24D1F909} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {72086DA4-E7F0-6DF3-8245-297775D42EF6} - http://209.8.161.54/1/rdgUS1022.exe
O16 - DPF: {76221EC7-445A-5633-7BBD-00034CCD009E} - http://66.117.42.151/1/rdgUS20.exe
O16 - DPF: {78D971CB-C9BB-632B-509F-07E430E5133E} - http://66.117.42.151/1/rdgUS20.exe


O2 - BHO: IDDTInitObj Class - {15DDE989-CD45-4561-BF99-D22C0D5C2B74} - C:\WINDOWS\Downlo~1\ddtinit.dll
Is the sina.com.cn browser plugin. Is this something you installed, or are aware of? If not, fix it too.

O3 - Toolbar: ÐÂÀ˵ãµãͨ - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - C:\WINDOWS\Downlo~1\DDTONG~1.DLL
Because of the language difference, I cannot determine if this is ok or not. If you don't recognize it, have HijackThis fix this one too.

Is NMGameX a valid program, to your knowledge?

Is anything in this line familar?
O4 - HKCU\..\Run: [mfcoleui] C:\WINDOWS\System32\mfcoleui.exe

These are programs that do not need to be running at startup, You can fix these too.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE

Then....

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following files:

C:\WINDOWS\System32\mjnieac.dll
C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
C:\Documents and Settings\Zhaohui Su\Rundll32.exe
rdgUS20.exe
C:\Recycled\Q330995.exe

Reboot normally and post a fresh HijackThis log.

Tom