Help with my log!

Please read the announcement and sticky threads. HJT logs should only be posted when requested. You must follow the steps in the sticky READ ME FIRST sticky.

Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You need to complete the steps in my previous message. I said if still having a problem after running the READ ME FIRST, to post a HijackThis log as an attachment.

 

You did not install HijackThis as requested. You are running it directly out of the ZIP file (using WinRAR). This is exactly what we request that you not do because you will not get any backups this way.

Also you have multiple browsers running and we request that they be closed before using HJT.

The below lines illustrate what I am talking about:
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.663\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Please install HijackThis.exe properly before continuing and remember to exit browsers from now on.

Do you know what the below is for:

O2 - BHO: ltmenu Class - {78C21EFD-53BA-406C-AF1A-33A38ABD3958} - C:\Program Files\LtUcx\1002\c0.dll

Is it for a chat room?

Do you use a program name Perfect Disk Defragmenter or similar? I'm wondering about the below line:
O4 - HKCU\..\Run: [dfrgsnap] C:\Windows\System32\dfrgsnap.exe

 

Looking further into your log I see you never ran all the steps of the READ ME FIRST. Definitely step 1 of cleaning was not run. I quote what it says there:

 

What about my other question:

 

Also do you recognize the below O16 line:

O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://202.101.62.196:1995/talk.cab

Seems to be for:

Code:

[url="http://samspade.org/t/whois?a=202.101.62.196;server=auto"][color=#0000ff]202.101.62.196[/color][/url] = [  ] 
 
  inetnum:	  [url="http://samspade.org/t/whois?a=202.101.62.195;server=auto"][color=#0000ff]202.101.62.195[/color][/url] - [url="http://samspade.org/t/whois?a=202.101.62.196;server=auto"][color=#0000ff]202.101.62.196[/color][/url] 
  netname:	  NETPIG-IT 
  descr:		  Shanghai NETPIG IT Co .Ltd 
  country:	  CN 
  admin-c:	   [url="http://samspade.org/t/whois?a=DWJ4-AP;server=whois.apnic.net"][color=#0000ff]DWJ4-AP[/color][/url] 
  tech-c:		   [url="http://samspade.org/t/whois?a=WJ194-AP;server=whois.apnic.net"][color=#0000ff]WJ194-AP[/color][/url] 
  mnt-by:		   [url="http://samspade.org/t/whois?a=MAINT-CHINANET-SH;server=whois.apnic.net"][color=#0000ff]MAINT-CHINANET-SH[/color][/url] 
  changed:	  [email="idc@sh163.net"][color=#0000ff]idc@sh163.net[/color][/email]
 20030423 
  status:		  ASSIGNED NON-PORTABLE 
  source:		  APNIC 
  person:	   Dai Wen Jing 
  address:	  333 Wusheng Road Shanghai  200003 
  country:	  CN 
  phone:		86-21-63270333-4376 
  fax-no:	   86-21-63592785 
  e-mail:	   [email="idc@sh163.net"][color=#0000ff]idc@sh163.net[/color][/email]
 
  

 

Fix the O16 line using HJt and then reboot. Tell me if anything changes.

You should also click Tools and look at Manage Addons to see if there is anything in there you do not recognize.

I do not think dfrgsnap.exe if related to Partition Magic. Check the files properties.

I would like to get some more info on the dfrgsnap.exe file. Locate it again using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.