Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure what it is...


  • This topic is locked This topic is locked
23 replies to this topic

#1 afuhz

afuhz

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 14 April 2009 - 11:43 AM

I thought I cleaned this infection but it looks like it is back. The main problems are that I cannot go to microsoft.com or any anti malware vendor websites and when I open IE pop unders with Chinese ads come up.


DDS (Ver_09-03-16.01) - NTFSx86
Run by me at 0:35:58.07 on Wed 04/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1023.516 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\guid.exe
C:\WINDOWS\WinShell.\daemon.exe
C:\WINDOWS\WinShell.\daemon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k MSPolicyAgent
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\guid.exe,
uWindows: load=c:\windows\guid.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Info cache: {296ab8c6-fb22-4d17-8834-064e2ba0a6f0} - c:\windows\intel\baiduc.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mExplorerRun: [user] c:\windows\winshell..\daemon.exe
mExplorerRun: [mysys] c:\documents and settings\all users\application data\microsoft\crypto\gdi.exe
mExplorerRun: [windows] c:\windows\winshell..\daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: 添加到QQ表情 - c:\program files\qq\africa2003\AddEmotion.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\firefox\profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 acpidisk;acpidisk;c:\windows\system32\drivers\acpidisk.sys [2009-4-14 143620]
R2 MSPolicyAgent;Microsoft IPsec Policy Agent;c:\windows\system32\svchost.exe -k MSPolicyAgent [2004-8-12 14336]
R2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2009-2-1 121860]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 RasServer;System Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
S3 JRICH;JRICH;c:\windows\system32\drivers\jrich.sys --> c:\windows\system32\drivers\JRICH.sys [?]
S3 ksns;ksns;\??\c:\windows\fonts\ksns.sys --> c:\windows\fonts\ksns.sys [?]
S3 myprotector;myprotector;c:\windows\battc.sys [2009-2-16 69888]
S3 npkycryp;npkycryp;\??\c:\program files\qq\africa2003\npkycryp.sys --> c:\program files\qq\africa2003\npkycryp.sys [?]
S3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\drivers\GC75.sys [2006-11-23 39296]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-04-14 23:55 143,620 a------- c:\windows\system32\drivers\acpidisk.sys
2009-04-14 23:23 2,560 a------- c:\windows\system32\mscpx32r.det
2009-04-14 20:35 <DIR> --d----- C:\pebuilder3110a
2009-03-24 10:43 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-23 14:01 <DIR> --d----- C:\hjt
2009-03-23 13:14 106 a------- c:\windows\system32\B4eocaps.SRG
2009-03-23 03:33 2,560 a------- c:\windows\system32\gscpx32r.det
2009-03-23 03:33 32 a------- c:\windows\system32\gprmsgse.axz
2009-03-23 03:25 <DIR> --d----- C:\ComboFix
2009-03-23 02:16 <DIR> --d----- c:\docume~1\me\applic~1\QuickScan
2009-03-22 19:25 70,391 a------- C:\MGlogs.zip
2009-03-22 19:25 <DIR> --d----- C:\MGtools
2009-03-22 18:59 <DIR> --d----- C:\cmdcons
2009-03-22 18:57 161,792 a------- c:\windows\SWREG.exe
2009-03-22 18:57 98,816 a------- c:\windows\sed.exe
2009-03-22 18:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 18:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 18:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 17:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-22 17:04 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-22 17:04 <DIR> --d----- c:\docume~1\me\applic~1\SUPERAntiSpyware.com
2009-03-22 17:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-22 17:01 1,339,834 a------- C:\MGtools.exe
2009-03-22 16:42 <DIR> --d----- c:\program files\CCleaner
2009-03-21 02:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-03-18 12:09 40,960 a------- c:\windows\guid.exe
2009-03-18 11:43 <DIR> --d----- c:\windows\Outlook

==================== Find3M ====================

2009-03-24 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 16:40 22,249 a------- c:\windows\system32\somspring.dat
2009-03-05 14:47 90,112 a--shr-- c:\windows\system32\uoxxyyui.dll
2009-02-21 02:52 388,096 ---s---- c:\windows\system32\MSPolicyAgent.dll
2009-02-16 14:42 69,888 a------- c:\windows\battc.sys
2009-02-01 03:44 13,531 a------- c:\windows\system32\waueafe.exe
2009-02-01 03:43 19,456 a------- c:\windows\system32\xiainla.dll
2009-01-26 19:26 34,116 a---h--- c:\windows\system32\mlfcache.dat
2008-03-10 10:41 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-10-23 18:02 57,080 a------- c:\docume~1\me\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 0:36:33.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:45 PM

Posted 27 April 2009 - 01:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 May 2009 - 12:01 AM

Same Problems as before I cannot open Microsoft.com or any other anti malware sites and when I open IE I get pop unders. Since my first post I have run malwarebytes and spybot, but they did not clean the inffection.


DDS (Ver_09-03-16.01) - NTFSx86
Run by me at 12:43:57.57 on Sat 05/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1023.677 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\guid.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\guid.exe
C:\WINDOWS\WinShell.\daemon.exe
C:\WINDOWS\WinShell.\daemon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-

8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\guid.exe,
uWindows: load=c:\windows\guid.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CAdLogic Object: {11f09afd-75ad-4e51-ab43-e09e9351ce16} - c:\program files\common files\pushware\cpush.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Info cache: {296ab8c6-fb22-4d17-8834-064e2ba0a6f0} - c:\windows\intel\baiduc.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mExplorerRun: [user] c:\windows\winshell..\daemon.exe
mExplorerRun: [mysys] c:\documents and settings\all users\application data\microsoft\crypto\gdi.exe
mExplorerRun: [windows] c:\windows\winshell..\daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: 添加到QQ表情 - c:\program files\qq\africa2003\AddEmotion.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\firefox\profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 acpidisk;acpidisk;c:\windows\system32\drivers\acpidisk.sys [2009-5-1 156036]
R2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2009-2-1 121860]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 RasServer;System Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
S3 JRICH;JRICH;c:\windows\system32\drivers\jrich.sys --> c:\windows\system32\drivers\JRICH.sys [?]
S3 ksns;ksns;\??\c:\windows\fonts\ksns.sys --> c:\windows\fonts\ksns.sys [?]
S3 myprotector;myprotector;c:\windows\battc.sys [2009-2-16 69888]
S3 npkycryp;npkycryp;\??\c:\program files\qq\africa2003\npkycryp.sys --> c:\program files\qq\africa2003\npkycryp.sys [?]
S3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\drivers\GC75.sys [2006-11-23 39296]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-05-01 19:47 156,036 a------- c:\windows\system32\drivers\acpidisk.sys
2009-04-30 15:26 <DIR> --d----- c:\documents and settings\me\.thumbnails
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gimp-2.6
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gegl-0.0
2009-04-30 15:24 <DIR> --d----- c:\program files\GIMP-2.0
2009-04-29 17:11 <DIR> --d----- c:\documents and settings\me\.rainlendar2
2009-04-29 17:11 <DIR> --d----- c:\program files\Rainlendar2
2009-04-27 01:49 1,571,687 a------- c:\windows\system32\9158AVCore.dll
2009-04-27 01:49 196,608 a------- c:\windows\system32\ACore.dll
2009-04-27 01:49 188,416 a------- c:\windows\system32\DDVClient.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCtrlLib.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCommon.dll
2009-04-27 01:49 122,880 a------- c:\windows\system32\AVModule.dll
2009-04-27 01:49 <DIR> --d----- c:\program files\DuoDuoVideoGame
2009-04-21 16:34 <DIR> --d----- c:\program files\common files\PushWare
2009-04-21 15:54 32 a------- c:\windows\system32\mprmsgse.axz
2009-04-20 17:22 2,560 a------- c:\windows\system32\mscpx32r.det
2009-04-15 04:24 <DIR> --d----- C:\~1
2009-04-14 20:35 <DIR> --d----- C:\pebuilder3110a

==================== Find3M ====================

2009-04-05 16:57 40,960 a------- c:\windows\guid.exe
2009-03-24 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 19:26 70,391 a------- C:\MGlogs.zip
2009-03-22 17:01 1,339,834 a------- C:\MGtools.exe
2009-03-22 16:40 22,249 a------- c:\windows\system32\somspring.dat
2009-03-21 02:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-03-05 14:47 90,112 a--shr-- c:\windows\system32\uoxxyyui.dll
2009-02-21 02:52 388,096 ---s---- c:\windows\system32\MSPolicyAgent.dll
2009-02-16 14:42 69,888 a------- c:\windows\battc.sys
2008-03-10 10:41 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-10-23 18:02 57,080 a------- c:\docume~1\me\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:44:48.75 ===============

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 May 2009 - 11:14 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 May 2009 - 02:23 AM

Here is the combo fix log. I still can't get to Microsoft.com or other sites.

ComboFix 09-05-02.4 - me 05/03/2009 15:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.651 [GMT 8:00]
Running from: c:\documents and settings\me\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\PushWare
c:\program files\Common Files\PushWare\cpush.dll
c:\program files\Common Files\PushWare\cpush0.dll
c:\program files\Common Files\PushWare\Uninst.exe
c:\windows\Intel\baiduc.dll
c:\windows\KB611311.log
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mprmsgse.axz
c:\windows\system32\mscpx32r.det
c:\windows\TEMP\~myB.tmp
c:\windows\Temp\20090416.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK


((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-04-30 15:21 . 2009-04-30 15:21 -------- d-----w c:\program files\QuickTime
2009-04-30 07:27 . 2009-04-30 17:06 -------- d-----w c:\documents and settings\me\Application Data\gtk-2.0
2009-04-30 07:26 . 2009-04-30 07:26 -------- d-----w c:\documents and settings\me\.thumbnails
2009-04-30 07:25 . 2009-05-03 05:59 -------- d-----w c:\documents and settings\me\.gimp-2.6
2009-04-30 07:25 . 2009-04-30 07:25 -------- d-----w c:\documents and settings\me\.gegl-0.0
2009-04-30 07:24 . 2009-04-30 07:24 -------- d-----w c:\program files\GIMP-2.0
2009-04-29 09:11 . 2009-04-29 09:16 -------- d-----w c:\documents and settings\me\.rainlendar2
2009-04-29 09:11 . 2009-04-29 09:11 -------- d-----w c:\program files\Rainlendar2
2009-04-26 17:49 . 2005-10-18 04:25 1571687 ----a-w c:\windows\system32\9158AVCore.dll
2009-04-26 17:49 . 2008-08-26 05:32 196608 ----a-w c:\windows\system32\ACore.dll
2009-04-26 17:49 . 2008-08-26 05:31 122880 ----a-w c:\windows\system32\AVModule.dll
2009-04-26 17:49 . 2009-03-22 08:26 188416 ----a-w c:\windows\system32\DDVClient.dll
2009-04-26 17:49 . 2009-03-22 08:17 143360 ----a-w c:\windows\system32\DDVCommon.dll
2009-04-26 17:49 . 2009-03-22 08:20 143360 ----a-w c:\windows\system32\DDVCtrlLib.dll
2009-04-26 17:49 . 2009-04-26 17:49 -------- d-----w c:\program files\DuoDuoVideoGame
2009-04-14 20:24 . 2009-04-14 20:24 -------- d-----w C:\~1
2009-04-14 12:35 . 2009-04-14 12:57 -------- d-----w C:\pebuilder3110a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 07:11 . 2004-08-11 23:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 06:17 . 2008-12-30 11:46 914 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
2009-05-02 05:19 . 2006-08-04 18:52 -------- d-----w c:\program files\Wenlin3
2009-05-01 11:16 . 2009-03-22 08:15 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-20 09:47 . 2008-12-03 06:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-05 08:57 . 2009-03-18 04:09 40960 ----a-w c:\windows\guid.exe
2009-04-01 03:07 . 2009-02-12 06:00 2 ----a-w c:\windows\sysinfo.tmp
2009-03-24 02:42 . 2008-12-04 07:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 17:12 . 2009-03-22 17:12 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-22 11:26 . 2009-03-22 11:25 70391 ----a-w C:\MGlogs.zip
2009-03-22 10:25 . 2009-03-22 10:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 10:17 . 2009-02-05 03:49 506 ----a-w c:\windows\system32\romarshal.dat
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 09:01 . 2009-03-22 09:01 1339834 ----a-w C:\MGtools.exe
2009-03-22 08:42 . 2009-03-22 08:42 -------- d-----w c:\program files\CCleaner
2009-03-22 08:40 . 2009-02-05 03:49 22249 ----a-w c:\windows\system32\somspring.dat
2009-03-22 08:10 . 2008-12-04 06:57 -------- d-----w c:\program files\a-squared Free
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-11 11:48 . 2009-03-11 11:48 -------- d-----w c:\program files\CDBurnerXP
2009-03-05 06:47 . 2009-03-05 06:47 90112 --sha-r c:\windows\system32\uoxxyyui.dll
2009-02-20 18:52 . 2009-02-20 18:52 6 ----a-w c:\windows\system32\types.tmp
2009-02-20 18:52 . 2009-02-20 18:52 388096 --s---w c:\windows\system32\MSPolicyAgent.dll
2009-02-16 06:42 . 2009-02-16 06:42 69888 ----a-w c:\windows\battc.sys
2009-02-11 02:19 . 2009-03-22 10:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 . 2009-03-22 10:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-04 06:59 . 2009-01-31 23:35 121860 ----a-w c:\windows\system32\drivers\pnpmem.sys
2009-03-22 18:43 . 2009-03-22 18:43 163840 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2007-02-27 01:40 . 2007-02-27 01:40 45056 ----a-w c:\program files\mozilla firefox\components\QQDownloadFFH.dll
2006-07-27 00:28 . 2005-12-18 21:35 104 --sh--r c:\windows\system32\7DCB17FB20.sys
2006-07-27 00:28 . 2005-12-18 21:35 4704 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-29 133104]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-06 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-31 286720]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 57344]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-30 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"user"="c:\windows\WinShell..\daemon.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\guid.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 03:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=c:\windows\guid.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Livestation"=c:\program files\Livestation\Livestation.exe -startup
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"TudouVAStart"=c:\program files\Tudou\??Tudou\TudouVa.exe
"WangWang"="c:\program files\Alisoft\WangWang\WangWang.exe"
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQ.exe"=
"c:\\Program Files\\QQ\\Africa2003\\ChatRoom.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QZone\\Qzone.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQUpdateCenter.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPetAgent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QzoneMusic.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChatUp.exe"=
"c:\\Program Files\\Tudou\\??Tudou\\TudouVa.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChat.exe"=
"c:\\Documents and Settings\\me\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQDoctor\\QQDoctor.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Alisoft\\WangWang\\WangWang.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54582:TCP"= 54582:TCP:DefenderPLA 64Reports
"65319:UDP"= 65319:UDP:DefenderPLA AgentAssemblies
"52420:TCP"= 52420:TCP:DefenderPLA BootOffline
"44122:UDP"= 44122:UDP:DefenderPLA DefinitionsNET

R2 RasServer;System Image;c:\windows\system32\svchost.exe [2004-08-04 14336]
R3 JRICH;JRICH; [x]
R3 ksns;ksns; [x]
R3 myprotector;myprotector;c:\windows\battc.sys [2009-02-16 69888]
R3 npkycryp;npkycryp; [x]
R3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\DRIVERS\GC75.sys [2003-01-27 39296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2009-02-04 121860]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
MSPolicyAgent REG_MULTI_SZ MSPolicyAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RasServer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a4e7b14-98a0-11dc-a4ff-0013cec3b0a3}]
\Shell\Auto\command - H:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44faea87-37a7-11dd-a5c6-0013cec3b0a3}]
\Shell\Auto\command - J:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44faea88-37a7-11dd-a5c6-0013cec3b0a3}]
\Shell\Auto\command - K:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46a97064-2018-11db-a340-00038a000015}]
\Shell\Auto\command - E:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bb7a387-980e-11dc-a4fc-0013cec3b0a3}]
\Shell\1\Command - e:\runaut~1\autorun.pif
\Shell\2\Command - e:\runaut~1\autorun.pif
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6607700d-6fd7-11dc-a4d7-0013cec3b0a3}]
\Shell\1\Command - RUNAUT~1\autorun.pif
\Shell\2\Command - RUNAUT~1\autorun.pif
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6607700e-6fd7-11dc-a4d7-0013cec3b0a3}]
\Shell\1\Command - RUNAUT~1\autorun.pif
\Shell\2\Command - RUNAUT~1\autorun.pif
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bd4fbec-dbc1-11dc-a54b-0013cec3b0a3}]
\Shell\Auto\command - F:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77ca048e-34fa-11dc-a48a-0013cec3b0a3}]
\Shell\Auto\command - F:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{790c3c8c-7d43-11db-a3f6-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e403ca2-8b75-11dc-a4f1-0013cec3b0a3}]
\Shell\1\Command - e:\runaut~1\autorun.pif
\Shell\2\Command - e:\runaut~1\autorun.pif
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97db277a-6475-11dd-a60a-0013cec3b0a3}]
\Shell\Auto\command - F:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1e42c22-66c8-11dc-a4d0-0013cec3b0a3}]
\Shell\AutoRun\command - e:\programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d778ed80-5a7d-11db-a3a6-00038a000015}]
\shell\verb1\command - desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb46f5e0-e041-11dc-a550-0013cec3b0a3}]
\Shell\Auto\command - F:\setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
- c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-29 08:27]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-windows - c:\windows\WinShell..\daemon.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\QQ\Africa2003\AddEmotion.htm
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
user = c:\windows\WinShell..\daemon.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
windows = c:\windows\WinShell..\daemon.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Internet Explorer\MenuExt\ûm R0RQ*Q*hˆÅ`]
@="c:\\Program Files\\QQ\\Africa2003\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithList]
@Class="Shell"
"a"="FIREFOX.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithProgids]
"???_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\.*Í‘}T
T]
@="???_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\Í‘}T
T_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="c:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\""

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\8*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\h*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\x*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*7*I*I*ck_Hr\Components\SectionQQ]
"Installed"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\syslib .dll

- - - - - - - > 'explorer.exe'(868)
c:\program files\Internet Explorer\icwres.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\WinShell.\daemon.exe
c:\windows\WinShell.\daemon.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-05-03 15:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 07:17
ComboFix2.txt 2009-03-22 19:34
ComboFix3.txt 2009-03-22 16:40
ComboFix4.txt 2009-03-22 11:19
ComboFix5.txt 2009-05-03 07:04

Pre-Run: 4,555,239,424 bytes free
Post-Run: 4,653,490,176 bytes free

348 --- E O F --- 2008-06-13 19:02

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 May 2009 - 02:58 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
JRICH
ksns

File::
c:\windows\guid.exe
c:\windows\sysinfo.tmp
c:\windows\system32\uoxxyyui.dll
c:\windows\system32\types.tmp
c:\windows\WinShell..\daemon.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"user"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a4e7b14-98a0-11dc-a4ff-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44faea87-37a7-11dd-a5c6-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44faea88-37a7-11dd-a5c6-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46a97064-2018-11db-a340-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bb7a387-980e-11dc-a4fc-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6607700d-6fd7-11dc-a4d7-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6607700e-6fd7-11dc-a4d7-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bd4fbec-dbc1-11dc-a54b-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77ca048e-34fa-11dc-a48a-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{790c3c8c-7d43-11db-a3f6-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e403ca2-8b75-11dc-a4f1-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97db277a-6475-11dd-a60a-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1e42c22-66c8-11dc-a4d0-0013cec3b0a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d778ed80-5a7d-11db-a3a6-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb46f5e0-e041-11dc-a550-0013cec3b0a3}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 May 2009 - 11:52 AM

Did that and it appears I can get to microsoft.com now, so that's good, here are the logs

Combofix

ComboFix 09-05-02.4 - me 05/04/2009 0:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.618 [GMT 8:00]
Running from: c:\documents and settings\me\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt

FILE ::
c:\windows\guid.exe
c:\windows\sysinfo.tmp
c:\windows\system32\types.tmp
c:\windows\system32\uoxxyyui.dll
c:\windows\WinShell..\daemon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\guid.exe
c:\windows\Intel\baiduc.dll
c:\windows\sysinfo.tmp
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mprmsgse.axz
c:\windows\system32\mscpx32r.det
c:\windows\system32\types.tmp
c:\windows\system32\uoxxyyui.dll
c:\windows\TEMP\~my16.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_KSNS
-------\Service_acpidisk
-------\Service_JRICH
-------\Service_ksns
-------\Legacy_RasServer
-------\Service_RasServer


((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-04-30 15:21 . 2009-04-30 15:21 -------- d-----w c:\program files\QuickTime
2009-04-30 07:27 . 2009-04-30 17:06 -------- d-----w c:\documents and settings\me\Application Data\gtk-2.0
2009-04-30 07:26 . 2009-04-30 07:26 -------- d-----w c:\documents and settings\me\.thumbnails
2009-04-30 07:25 . 2009-05-03 05:59 -------- d-----w c:\documents and settings\me\.gimp-2.6
2009-04-30 07:25 . 2009-04-30 07:25 -------- d-----w c:\documents and settings\me\.gegl-0.0
2009-04-30 07:24 . 2009-04-30 07:24 -------- d-----w c:\program files\GIMP-2.0
2009-04-29 09:11 . 2009-04-29 09:16 -------- d-----w c:\documents and settings\me\.rainlendar2
2009-04-29 09:11 . 2009-04-29 09:11 -------- d-----w c:\program files\Rainlendar2
2009-04-26 17:49 . 2005-10-18 04:25 1571687 ----a-w c:\windows\system32\9158AVCore.dll
2009-04-26 17:49 . 2008-08-26 05:32 196608 ----a-w c:\windows\system32\ACore.dll
2009-04-26 17:49 . 2008-08-26 05:31 122880 ----a-w c:\windows\system32\AVModule.dll
2009-04-26 17:49 . 2009-03-22 08:26 188416 ----a-w c:\windows\system32\DDVClient.dll
2009-04-26 17:49 . 2009-03-22 08:17 143360 ----a-w c:\windows\system32\DDVCommon.dll
2009-04-26 17:49 . 2009-03-22 08:20 143360 ----a-w c:\windows\system32\DDVCtrlLib.dll
2009-04-26 17:49 . 2009-04-26 17:49 -------- d-----w c:\program files\DuoDuoVideoGame
2009-04-14 20:24 . 2009-04-14 20:24 -------- d-----w C:\~1
2009-04-14 12:35 . 2009-04-14 12:57 -------- d-----w C:\pebuilder3110a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 16:35 . 2004-08-11 23:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 16:00 . 2008-12-30 11:46 914 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
2009-05-02 05:19 . 2006-08-04 18:52 -------- d-----w c:\program files\Wenlin3
2009-05-01 11:16 . 2009-03-22 08:15 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-20 09:47 . 2008-12-03 06:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 02:42 . 2008-12-04 07:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 17:12 . 2009-03-22 17:12 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-22 11:26 . 2009-03-22 11:25 70391 ----a-w C:\MGlogs.zip
2009-03-22 10:25 . 2009-03-22 10:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 10:17 . 2009-02-05 03:49 506 ----a-w c:\windows\system32\romarshal.dat
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 09:01 . 2009-03-22 09:01 1339834 ----a-w C:\MGtools.exe
2009-03-22 08:42 . 2009-03-22 08:42 -------- d-----w c:\program files\CCleaner
2009-03-22 08:40 . 2009-02-05 03:49 22249 ----a-w c:\windows\system32\somspring.dat
2009-03-22 08:10 . 2008-12-04 06:57 -------- d-----w c:\program files\a-squared Free
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-11 11:48 . 2009-03-11 11:48 -------- d-----w c:\program files\CDBurnerXP
2009-02-20 18:52 . 2009-02-20 18:52 388096 --s---w c:\windows\system32\MSPolicyAgent.dll
2009-02-16 06:42 . 2009-02-16 06:42 69888 ----a-w c:\windows\battc.sys
2009-02-11 02:19 . 2009-03-22 10:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 . 2009-03-22 10:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-04 06:59 . 2009-01-31 23:35 121860 ----a-w c:\windows\system32\drivers\pnpmem.sys
2009-03-22 18:43 . 2009-03-22 18:43 163840 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2007-02-27 01:40 . 2007-02-27 01:40 45056 ----a-w c:\program files\mozilla firefox\components\QQDownloadFFH.dll
2006-07-27 00:28 . 2005-12-18 21:35 104 --sh--r c:\windows\system32\7DCB17FB20.sys
2006-07-27 00:28 . 2005-12-18 21:35 4704 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-03_07.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 16:36 . 2009-05-03 16:36 16384 c:\windows\temp\Perflib_Perfdata_c04.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-29 133104]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-06 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-31 286720]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 57344]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-30 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"windows"="c:\windows\WinShell..\daemon.exe" [BU]
"user"="c:\windows\WinShell..\daemon.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 03:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Livestation"=c:\program files\Livestation\Livestation.exe -startup
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"TudouVAStart"=c:\program files\Tudou\??Tudou\TudouVa.exe
"WangWang"="c:\program files\Alisoft\WangWang\WangWang.exe"
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQ.exe"=
"c:\\Program Files\\QQ\\Africa2003\\ChatRoom.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QZone\\Qzone.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQUpdateCenter.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPetAgent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QzoneMusic.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChatUp.exe"=
"c:\\Program Files\\Tudou\\??Tudou\\TudouVa.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChat.exe"=
"c:\\Documents and Settings\\me\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQDoctor\\QQDoctor.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Alisoft\\WangWang\\WangWang.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54582:TCP"= 54582:TCP:DefenderPLA 64Reports
"65319:UDP"= 65319:UDP:DefenderPLA AgentAssemblies
"52420:TCP"= 52420:TCP:DefenderPLA BootOffline
"44122:UDP"= 44122:UDP:DefenderPLA DefinitionsNET
"50278:TCP"= 50278:TCP:DefenderPLA 64Files
"37033:UDP"= 37033:UDP:DefenderPLA ShellSetup
"55911:TCP"= 55911:TCP:DefenderPLA BuildPrefetch
"62139:UDP"= 62139:UDP:DefenderPLA tmpOffline

R2 RasServer;System Image;c:\windows\system32\svchost.exe [2004-08-04 14336]
R3 myprotector;myprotector;c:\windows\battc.sys [2009-02-16 69888]
R3 npkycryp;npkycryp; [x]
R3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\DRIVERS\GC75.sys [2003-01-27 39296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2009-02-04 121860]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - RASSERVER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
MSPolicyAgent REG_MULTI_SZ MSPolicyAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RasServer
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
- c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-29 08:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\QQ\Africa2003\AddEmotion.htm
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 00:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
windows = c:\windows\WinShell..\daemon.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
user = c:\windows\WinShell..\daemon.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Internet Explorer\MenuExt\ûm R0RQ*Q*hˆÅ`]
@="c:\\Program Files\\QQ\\Africa2003\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithList]
@Class="Shell"
"a"="FIREFOX.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithProgids]
"???_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\.*Í‘}T
T]
@="???_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\Í‘}T
T_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="c:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\""

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\8*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\h*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\x*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*7*I*I*ck_Hr\Components\SectionQQ]
"Installed"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\syslib .dll

- - - - - - - > 'explorer.exe'(2696)
c:\program files\Internet Explorer\PLUGINS\icwres.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\WinShell.\daemon.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-03 0:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 16:41
ComboFix2.txt 2009-05-03 07:18
ComboFix3.txt 2009-03-22 19:34
ComboFix4.txt 2009-03-22 16:40
ComboFix5.txt 2009-05-03 16:25

Pre-Run: 4,627,329,024 bytes free
Post-Run: 4,623,876,096 bytes free

307 --- E O F --- 2008-06-13 19:02


Hijack this


DDS (Ver_09-03-16.01) - NTFSx86
Run by me at 0:48:18.82 on Mon 05/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.618 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\WinShell.\daemon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Info cache: {296ab8c6-fb22-4d17-8834-064e2ba0a6f0} - c:\windows\intel\baiduc.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mExplorerRun: [windows] c:\windows\winshell..\daemon.exe
mExplorerRun: [user] c:\windows\winshell..\daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\qq\africa2003\AddEmotion.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\firefox\profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2009-2-1 121860]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 RasServer;System Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
S3 myprotector;myprotector;c:\windows\battc.sys [2009-2-16 69888]
S3 npkycryp;npkycryp;\??\c:\program files\qq\africa2003\npkycryp.sys --> c:\program files\qq\africa2003\npkycryp.sys [?]
S3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\drivers\GC75.sys [2006-11-23 39296]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-05-04 00:46 2,560 a------- c:\windows\system32\mscpx32r.det
2009-05-04 00:41 2 a------- c:\windows\sysinfo.tmp
2009-04-30 15:26 <DIR> --d----- c:\documents and settings\me\.thumbnails
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gimp-2.6
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gegl-0.0
2009-04-30 15:24 <DIR> --d----- c:\program files\GIMP-2.0
2009-04-29 17:11 <DIR> --d----- c:\documents and settings\me\.rainlendar2
2009-04-29 17:11 <DIR> --d----- c:\program files\Rainlendar2
2009-04-27 01:49 1,571,687 a------- c:\windows\system32\9158AVCore.dll
2009-04-27 01:49 196,608 a------- c:\windows\system32\ACore.dll
2009-04-27 01:49 188,416 a------- c:\windows\system32\DDVClient.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCtrlLib.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCommon.dll
2009-04-27 01:49 122,880 a------- c:\windows\system32\AVModule.dll
2009-04-27 01:49 <DIR> --d----- c:\program files\DuoDuoVideoGame
2009-04-15 04:24 <DIR> --d----- C:\~1
2009-04-14 20:35 <DIR> --d----- C:\pebuilder3110a

==================== Find3M ====================

2009-03-24 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 19:26 70,391 a------- C:\MGlogs.zip
2009-03-22 17:01 1,339,834 a------- C:\MGtools.exe
2009-03-22 16:40 22,249 a------- c:\windows\system32\somspring.dat
2009-03-21 02:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-02-21 02:52 388,096 ---s---- c:\windows\system32\MSPolicyAgent.dll
2009-02-16 14:42 69,888 a------- c:\windows\battc.sys
2008-03-10 10:41 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-10-23 18:02 57,080 a------- c:\docume~1\me\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 0:48:42.18 ===============

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 May 2009 - 01:35 PM

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\drivers\pnpmem.sys
      c:\windows\winshell..\daemon.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 May 2009 - 11:24 PM

VirSCAN.org Scanned Report :
Scanned time : 2009/05/04 12:07:08 (CST)
Scanner results: 47% Scanner(18/38) found malware!
File Name : pnpmem.sys
File Size : 121860 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 3abc858dfd7976fe48e602abe20d51e3
SHA1 : 617649c32dd781d232665f1a13f3d8b9629187d6
Online report : http://virscan.org/report/470f0332c0f0fc5b...f2589abd6a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090504063155 2009-05-04 9.81 Virus.Win32.Cinmus.J!IK
AhnLab V3 2009.05.03.00 2009.05.03 2009-05-03 4.63 -
AntiVir 7.9.0.160 7.1.3.143 2009-05-03 2.03 TR/Rootkit.Gen
Antiy 2.0.18 20090503.2333071 2009-05-03 0.02 -
Arcavir 2009 200905021130 2009-05-02 0.07 -
Authentium 5.1.1 200905032011 2009-05-03 1.12 W32/SYStroj.I.gen!Eldorado (Possible)
AVAST! 3.0.1 090503-0 2009-05-03 0.93 Win32:Cinmus-J [Rtk]
AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.04 -
BitDefender 7.81008.2901666 7.25183 2009-05-04 2.70 Trojan.Generic.1411727
CA (VET) 9.0.0.143 31.6.6486 2009-05-02 10.70 -
ClamAV 0.95 9320 2009-05-03 0.02 -
Comodo 3.8 1149 2009-05-03 2.46 -
CP Secure 1.1.0.715 2009.05.03 2009-05-03 9.31 Troj.W32.Agent.adjd
Dr.Web 4.44.0.9170 2009.05.04 2009-05-04 4.65 -
F-Prot 4.4.4.56 20090503 2009-05-03 1.18 W32/SYStroj.I.gen!Eldorado (generic, not disinfectable)
F-Secure 5.51.6100 2009.05.03.03 2009-05-03 0.10 -
Fortinet 2.81-3.117 10.349 2009-05-03 0.73 -
GData 19.5013/19.318 20090504 2009-05-04 14.42 Win32:Cinmus-J [Rtk] [Engine:B]
ViRobot 20090501 2009.05.01 2009-05-01 2.25 -
Ikarus T3.1.01.49 2009.05.03.72666 2009-05-03 2.77 Virus.Win32.Cinmus.J
JiangMin 11.0.706 2009.05.03 2009-05-03 7.70 -
Kaspersky 5.5.10 2009.05.04 2009-05-04 0.09 not-a-virus:AdWare.Win32.Cinmus.aizh
KingSoft 2009.2.5.15 2009.5.4.7 2009-05-04 0.41 Win32.Troj.AgentT.be.145796
McAfee 5.3.00 5604 2009-05-03 2.93 -
Microsoft 1.4602 2009.05.04 2009-05-04 16.64 Trojan:Win32/Cinmus.K
mks_vir 2.01 2009.05.03 2009-05-03 2.75 -
Norman 6.00.06 6.00.00 2009-04-28 4.01 W32/Rootkit.AJJM
Panda 9.05.01 2009.05.02 2009-05-02 11.87 -
Trend Micro 8.700-1004 6.106.01 2009-05-03 0.02 Possible_Movly-1
Quick Heal 10.00 2009.05.02 2009-05-02 3.80 -
Rising 20.0 21.27.41.00 2009-05-01 0.92 RootKit.Win32.DLLDrop.a
Sophos 2.86.0 4.41 2009-05-04 2.28 Mal/Cimuz-F
Sunbelt 5119 5119 2009-05-03 4.13 AdWare.Win32.Cinmus.gen
Symantec 1.3.0.24 20090503.003 2009-05-03 0.25 -
nProtect 20090501.01 3562396 2009-05-01 12.14 -
The Hacker 6.3.4.1 v00318 2009-05-03 2.13 -
VBA32 3.12.10.4 20090503.1052 2009-05-03 1.83 -
VirusBuster 4.5.11.10 10.105.14/1315222 2009-05-03 1.72 Rootkit.Cinmus.Gen.6




VirSCAN.org Scanned Report :
Scanned time : 2009/05/04 12:17:21 (CST)
Scanner results: 71% Scanner(27/38) found malware!
File Name : daemon.exe
File Size : 36864 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e956a830a25b7497cd79230ef83b84c0
SHA1 : 7936f603e5217a7222b09180d6ea1a333d55712f
Online report : http://virscan.org/report/c1ac4906e3d07fdb...cec95caf08.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090504063155 2009-05-04 12.53 Trojan.Win32.Obfuscated!IK
AhnLab V3 2009.05.03.00 2009.05.03 2009-05-03 0.66 -
AntiVir 7.9.0.160 7.1.3.143 2009-05-03 2.06 TR/Dldr.JKLJ.7
Antiy 2.0.18 20090503.2333071 2009-05-03 0.02 -
Arcavir 2009 200905021130 2009-05-02 0.04 Trojan.Obfuscated.Aaoh
Authentium 5.1.1 200905032011 2009-05-03 1.15 -
AVAST! 3.0.1 090503-0 2009-05-03 0.01 Win32:Trojan-gen {Other}
AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.07 Generic12.BMWT
BitDefender 7.81008.2901666 7.25183 2009-05-04 2.69 Trojan.Downloader.JKLJ
CA (VET) 9.0.0.143 31.6.6486 2009-05-02 4.21 -
ClamAV 0.95 9320 2009-05-03 0.02 -
Comodo 3.8 1149 2009-05-03 0.80 TrojWare.Win32.Trojan.Agent.Gen
CP Secure 1.1.0.715 2009.05.03 2009-05-03 8.88 -
Dr.Web 4.44.0.9170 2009.05.04 2009-05-04 4.49 Trojan.DownLoad.30038
F-Prot 4.4.4.56 20090503 2009-05-03 1.13 -
F-Secure 5.51.6100 2009.05.03.03 2009-05-03 3.30 Trojan.Win32.Obfuscated.aaoh [AVP]
Fortinet 2.81-3.117 10.349 2009-05-03 0.23 W32/Obfuscated.AAOH!tr
GData 19.5013/19.318 20090504 2009-05-04 4.33 Trojan.Win32.Obfuscated.aaoh [Engine:A]
ViRobot 20090501 2009.05.01 2009-05-01 0.42 -
Ikarus T3.1.01.49 2009.05.03.72666 2009-05-03 2.76 Trojan.Win32.Obfuscated
JiangMin 11.0.706 2009.05.03 2009-05-03 5.61 Trojan/Obfuscated.dbln
Kaspersky 5.5.10 2009.05.04 2009-05-04 0.04 Trojan.Win32.Obfuscated.aaoh
KingSoft 2009.2.5.15 2009.5.4.7 2009-05-04 2.93 Win32.Troj.Pretend.vi.36864
McAfee 5.3.00 5604 2009-05-03 2.82 Generic.dx
Microsoft 1.4602 2009.05.04 2009-05-04 5.32 Trojan:Win32/Malex.gen!D
mks_vir 2.01 2009.05.03 2009-05-03 2.73 -
Norman 6.00.06 6.00.00 2009-04-28 4.01 W32/Busky.PXFY
Panda 9.05.01 2009.05.02 2009-05-02 4.73 Generic Trojan
Trend Micro 8.700-1004 6.106.01 2009-05-03 0.03 -
Quick Heal 10.00 2009.05.02 2009-05-02 2.33 Trojan.Obfuscated.aaoh
Rising 20.0 21.27.41.00 2009-05-01 1.31 Trojan.Win32.Nodef.azf
Sophos 2.86.0 4.41 2009-05-04 2.21 Mal/PWS-Fam
Sunbelt 5119 5119 2009-05-03 0.67 Trojan.Win32.Obfuscated.aaoh
Symantec 1.3.0.24 20090503.003 2009-05-03 0.07 Infostealer.Gampass
nProtect 20090501.01 3562396 2009-05-01 6.90 Trojan.Downloader.JKLJ
The Hacker 6.3.4.1 v00318 2009-05-03 0.53 Trojan/Obfuscated.aaoh
VBA32 3.12.10.4 20090503.1052 2009-05-03 1.84 Trojan.Win32.Obfuscated.aaoh
VirusBuster 4.5.11.10 10.105.14/1315222 2009-05-03 1.65 -

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 May 2009 - 04:13 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
pnpmem

File::
c:\windows\system32\drivers\pnpmem.sys
c:\windows\WinShell..\daemon.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"windows"=-
"user"=-

DirLook::
C:\~1
c:\windows\WinShell..

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 May 2009 - 04:42 AM

Combofix log

ComboFix 09-05-03.3 - me 05/04/2009 17:20.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.628 [GMT 8:00]
Running from: c:\documents and settings\me\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt

FILE ::
c:\windows\system32\drivers\pnpmem.sys
c:\windows\WinShell..\daemon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\PushWare
c:\program files\Common Files\PushWare\cpush.dll
c:\program files\Common Files\PushWare\Uninst.exe
c:\windows\Intel\baiduc.dll
c:\windows\KB611311.log
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\drivers\pnpmem.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mprmsgse.axz
c:\windows\system32\mscpx32r.det
c:\windows\TEMP\~my1.tmp
c:\windows\TEMP\~my1E.tmp
c:\windows\temp\20090416.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_PNPMEM
-------\Service_acpidisk
-------\Service_pnpmem


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-30 15:21 . 2009-04-30 15:21 -------- d-----w c:\program files\QuickTime
2009-04-30 07:27 . 2009-04-30 17:06 -------- d-----w c:\documents and settings\me\Application Data\gtk-2.0
2009-04-30 07:26 . 2009-04-30 07:26 -------- d-----w c:\documents and settings\me\.thumbnails
2009-04-30 07:25 . 2009-05-03 05:59 -------- d-----w c:\documents and settings\me\.gimp-2.6
2009-04-30 07:25 . 2009-04-30 07:25 -------- d-----w c:\documents and settings\me\.gegl-0.0
2009-04-30 07:24 . 2009-04-30 07:24 -------- d-----w c:\program files\GIMP-2.0
2009-04-29 09:11 . 2009-04-29 09:16 -------- d-----w c:\documents and settings\me\.rainlendar2
2009-04-29 09:11 . 2009-04-29 09:11 -------- d-----w c:\program files\Rainlendar2
2009-04-26 17:49 . 2005-10-18 04:25 1571687 ----a-w c:\windows\system32\9158AVCore.dll
2009-04-26 17:49 . 2008-08-26 05:32 196608 ----a-w c:\windows\system32\ACore.dll
2009-04-26 17:49 . 2008-08-26 05:31 122880 ----a-w c:\windows\system32\AVModule.dll
2009-04-26 17:49 . 2009-03-22 08:26 188416 ----a-w c:\windows\system32\DDVClient.dll
2009-04-26 17:49 . 2009-03-22 08:17 143360 ----a-w c:\windows\system32\DDVCommon.dll
2009-04-26 17:49 . 2009-03-22 08:20 143360 ----a-w c:\windows\system32\DDVCtrlLib.dll
2009-04-26 17:49 . 2009-04-26 17:49 -------- d-----w c:\program files\DuoDuoVideoGame
2009-04-14 20:24 . 2009-04-14 20:24 -------- d-----w C:\~1
2009-04-14 12:35 . 2009-04-14 12:57 -------- d-----w C:\pebuilder3110a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 09:28 . 2004-08-11 23:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 08:38 . 2008-12-30 11:46 914 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
2009-05-04 03:58 . 2005-12-18 22:06 -------- d-----w c:\program files\Common Files\Adobe
2009-05-04 03:55 . 2009-05-03 16:41 2 ----a-w c:\windows\sysinfo.tmp
2009-05-03 16:52 . 2005-12-18 21:21 36912 ----a-w c:\documents and settings\me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 05:19 . 2006-08-04 18:52 -------- d-----w c:\program files\Wenlin3
2009-05-01 11:16 . 2009-03-22 08:15 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-20 09:47 . 2008-12-03 06:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 02:42 . 2008-12-04 07:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 17:12 . 2009-03-22 17:12 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-22 11:26 . 2009-03-22 11:25 70391 ----a-w C:\MGlogs.zip
2009-03-22 10:25 . 2009-03-22 10:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 10:17 . 2009-02-05 03:49 506 ----a-w c:\windows\system32\romarshal.dat
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 09:01 . 2009-03-22 09:01 1339834 ----a-w C:\MGtools.exe
2009-03-22 08:42 . 2009-03-22 08:42 -------- d-----w c:\program files\CCleaner
2009-03-22 08:40 . 2009-02-05 03:49 22249 ----a-w c:\windows\system32\somspring.dat
2009-03-22 08:10 . 2008-12-04 06:57 -------- d-----w c:\program files\a-squared Free
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-11 11:48 . 2009-03-11 11:48 -------- d-----w c:\program files\CDBurnerXP
2009-02-20 18:52 . 2009-02-20 18:52 388096 --s---w c:\windows\system32\MSPolicyAgent.dll
2009-02-16 06:42 . 2009-02-16 06:42 69888 ----a-w c:\windows\battc.sys
2009-02-11 02:19 . 2009-03-22 10:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 . 2009-03-22 10:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 18:43 . 2009-03-22 18:43 163840 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2007-02-27 01:40 . 2007-02-27 01:40 45056 ----a-w c:\program files\mozilla firefox\components\QQDownloadFFH.dll
2006-07-27 00:28 . 2005-12-18 21:35 104 --sh--r c:\windows\system32\7DCB17FB20.sys
2006-07-27 00:28 . 2005-12-18 21:35 4704 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\~1 ----


---- Directory of c:\windows\WinShell.. ----

2009-02-10 13:22 . 2009-02-10 13:22 36864 ----a-w c:\windows\WinShell..\daemon.exe


((((((((((((((((((((((((((((( SnapShot@2009-05-03_07.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 09:28 . 2009-05-04 09:28 16384 c:\windows\temp\Perflib_Perfdata_96c.dat
+ 2009-05-04 04:00 . 2009-05-04 04:00 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-29 133104]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-31 286720]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 57344]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-30 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 03:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Livestation"=c:\program files\Livestation\Livestation.exe -startup
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"TudouVAStart"=c:\program files\Tudou\??Tudou\TudouVa.exe
"WangWang"="c:\program files\Alisoft\WangWang\WangWang.exe"
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQ.exe"=
"c:\\Program Files\\QQ\\Africa2003\\ChatRoom.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QZone\\Qzone.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQUpdateCenter.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPetAgent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QzoneMusic.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChatUp.exe"=
"c:\\Program Files\\Tudou\\??Tudou\\TudouVa.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChat.exe"=
"c:\\Documents and Settings\\me\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQDoctor\\QQDoctor.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Alisoft\\WangWang\\WangWang.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54582:TCP"= 54582:TCP:DefenderPLA 64Reports
"65319:UDP"= 65319:UDP:DefenderPLA AgentAssemblies
"52420:TCP"= 52420:TCP:DefenderPLA BootOffline
"44122:UDP"= 44122:UDP:DefenderPLA DefinitionsNET
"50278:TCP"= 50278:TCP:DefenderPLA 64Files
"37033:UDP"= 37033:UDP:DefenderPLA ShellSetup
"55911:TCP"= 55911:TCP:DefenderPLA BuildPrefetch
"62139:UDP"= 62139:UDP:DefenderPLA tmpOffline

R2 RasServer;System Image;c:\windows\system32\svchost.exe [2004-08-04 14336]
R3 myprotector;myprotector;c:\windows\battc.sys [2009-02-16 69888]
R3 npkycryp;npkycryp; [x]
R3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\DRIVERS\GC75.sys [2003-01-27 39296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
MSPolicyAgent REG_MULTI_SZ MSPolicyAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RasServer
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
- c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-29 08:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\QQ\Africa2003\AddEmotion.htm
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 17:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasServer]
"ServiceDll"="c:\windows\system32\uoxxyyui.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Internet Explorer\MenuExt\ûm R0RQ*Q*hˆÅ`]
@="c:\\Program Files\\QQ\\Africa2003\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithList]
@Class="Shell"
"a"="FIREFOX.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithProgids]
"???_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\.*Í‘}T
T]
@="???_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\Í‘}T
T_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="c:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\""

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\8*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\h*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\x*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*7*I*I*ck_Hr\Components\SectionQQ]
"Installed"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1640)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 09:34
ComboFix2.txt 2009-05-03 16:43
ComboFix3.txt 2009-05-03 07:18
ComboFix4.txt 2009-03-22 19:34
ComboFix5.txt 2009-05-04 09:19

Pre-Run: 4,618,424,320 bytes free
Post-Run: 4,610,269,184 bytes free

301 --- E O F --- 2008-06-13 19:02








Hijack this log


DDS (Ver_09-03-16.01) - NTFSx86
Run by me at 17:39:23.75 on Mon 05/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.633 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\qq\africa2003\AddEmotion.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\firefox\profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 RasServer;System Image;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
S3 myprotector;myprotector;c:\windows\battc.sys [2009-2-16 69888]
S3 npkycryp;npkycryp;\??\c:\program files\qq\africa2003\npkycryp.sys --> c:\program files\qq\africa2003\npkycryp.sys [?]
S3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\drivers\GC75.sys [2006-11-23 39296]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-05-04 17:19 161,792 a------- c:\windows\SWREG.exe
2009-05-04 17:19 98,816 a------- c:\windows\sed.exe
2009-05-04 00:41 2 a------- c:\windows\sysinfo.tmp
2009-04-30 15:26 <DIR> --d----- c:\documents and settings\me\.thumbnails
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gimp-2.6
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gegl-0.0
2009-04-30 15:24 <DIR> --d----- c:\program files\GIMP-2.0
2009-04-29 17:11 <DIR> --d----- c:\documents and settings\me\.rainlendar2
2009-04-29 17:11 <DIR> --d----- c:\program files\Rainlendar2
2009-04-27 01:49 1,571,687 a------- c:\windows\system32\9158AVCore.dll
2009-04-27 01:49 196,608 a------- c:\windows\system32\ACore.dll
2009-04-27 01:49 188,416 a------- c:\windows\system32\DDVClient.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCtrlLib.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCommon.dll
2009-04-27 01:49 122,880 a------- c:\windows\system32\AVModule.dll
2009-04-27 01:49 <DIR> --d----- c:\program files\DuoDuoVideoGame
2009-04-15 04:24 <DIR> --d----- C:\~1
2009-04-14 20:35 <DIR> --d----- C:\pebuilder3110a

==================== Find3M ====================

2009-03-24 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 19:26 70,391 a------- C:\MGlogs.zip
2009-03-22 17:01 1,339,834 a------- C:\MGtools.exe
2009-03-22 16:40 22,249 a------- c:\windows\system32\somspring.dat
2009-03-21 02:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-02-21 02:52 388,096 ---s---- c:\windows\system32\MSPolicyAgent.dll
2009-02-16 14:42 69,888 a------- c:\windows\battc.sys
2008-03-10 10:41 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-10-23 18:02 57,080 a------- c:\docume~1\me\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:39:42.25 ===============

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 May 2009 - 04:49 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
RasServer
MSPolicyAgent

Driver::
RasServer
MSPolicyAgent

Rootkit::
c:\windows\system32\uoxxyyui.dll

File::
c:\windows\system32\uoxxyyui.dll

Folder::
c:\windows\WinShell..

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasServer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"MSPolicyAgent"=-

RegNull::
[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Internet Explorer\MenuExt\ûm R0RQ*Q*hˆÅ`]
[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}TT]
[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
[HKEY_LOCAL_MACHINE\software\Classes\.*Í‘}TT]
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\8*]
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\h*]
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\x*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*7*I*I*ck_Hr\Components\SectionQQ]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 May 2009 - 06:31 AM

Combofix

ComboFix 09-05-03.3 - me 05/04/2009 19:10.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.658 [GMT 8:00]
Running from: c:\documents and settings\me\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt

FILE ::
c:\windows\system32\uoxxyyui.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\uoxxyyui.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_RASSERVER
-------\Service_RasServer


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-30 15:21 . 2009-04-30 15:21 -------- d-----w c:\program files\QuickTime
2009-04-30 07:27 . 2009-04-30 17:06 -------- d-----w c:\documents and settings\me\Application Data\gtk-2.0
2009-04-30 07:26 . 2009-04-30 07:26 -------- d-----w c:\documents and settings\me\.thumbnails
2009-04-30 07:25 . 2009-05-03 05:59 -------- d-----w c:\documents and settings\me\.gimp-2.6
2009-04-30 07:25 . 2009-04-30 07:25 -------- d-----w c:\documents and settings\me\.gegl-0.0
2009-04-30 07:24 . 2009-04-30 07:24 -------- d-----w c:\program files\GIMP-2.0
2009-04-29 09:11 . 2009-04-29 09:16 -------- d-----w c:\documents and settings\me\.rainlendar2
2009-04-29 09:11 . 2009-04-29 09:11 -------- d-----w c:\program files\Rainlendar2
2009-04-26 17:49 . 2005-10-18 04:25 1571687 ----a-w c:\windows\system32\9158AVCore.dll
2009-04-26 17:49 . 2008-08-26 05:32 196608 ----a-w c:\windows\system32\ACore.dll
2009-04-26 17:49 . 2008-08-26 05:31 122880 ----a-w c:\windows\system32\AVModule.dll
2009-04-26 17:49 . 2009-03-22 08:26 188416 ----a-w c:\windows\system32\DDVClient.dll
2009-04-26 17:49 . 2009-03-22 08:17 143360 ----a-w c:\windows\system32\DDVCommon.dll
2009-04-26 17:49 . 2009-03-22 08:20 143360 ----a-w c:\windows\system32\DDVCtrlLib.dll
2009-04-26 17:49 . 2009-04-26 17:49 -------- d-----w c:\program files\DuoDuoVideoGame
2009-04-14 20:24 . 2009-04-14 20:24 -------- d-----w C:\~1
2009-04-14 12:35 . 2009-04-14 12:57 -------- d-----w C:\pebuilder3110a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 11:16 . 2004-08-11 23:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 08:38 . 2008-12-30 11:46 914 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
2009-05-04 03:58 . 2005-12-18 22:06 -------- d-----w c:\program files\Common Files\Adobe
2009-05-04 03:55 . 2009-05-03 16:41 2 ----a-w c:\windows\sysinfo.tmp
2009-05-03 16:52 . 2005-12-18 21:21 36912 ----a-w c:\documents and settings\me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 05:19 . 2006-08-04 18:52 -------- d-----w c:\program files\Wenlin3
2009-05-01 11:16 . 2009-03-22 08:15 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-20 09:47 . 2008-12-03 06:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 02:42 . 2008-12-04 07:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 17:12 . 2009-03-22 17:12 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-22 11:26 . 2009-03-22 11:25 70391 ----a-w C:\MGlogs.zip
2009-03-22 10:25 . 2009-03-22 10:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 10:17 . 2009-02-05 03:49 506 ----a-w c:\windows\system32\romarshal.dat
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2009-03-22 09:04 . 2009-03-22 09:04 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 09:01 . 2009-03-22 09:01 1339834 ----a-w C:\MGtools.exe
2009-03-22 08:42 . 2009-03-22 08:42 -------- d-----w c:\program files\CCleaner
2009-03-22 08:40 . 2009-02-05 03:49 22249 ----a-w c:\windows\system32\somspring.dat
2009-03-22 08:10 . 2008-12-04 06:57 -------- d-----w c:\program files\a-squared Free
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr
2009-03-11 11:48 . 2009-03-11 11:48 -------- d-----w c:\program files\CDBurnerXP
2009-02-20 18:52 . 2009-02-20 18:52 388096 --s---w c:\windows\system32\MSPolicyAgent.dll
2009-02-16 06:42 . 2009-02-16 06:42 69888 ----a-w c:\windows\battc.sys
2009-02-11 02:19 . 2009-03-22 10:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 . 2009-03-22 10:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 18:43 . 2009-03-22 18:43 163840 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2007-02-27 01:40 . 2007-02-27 01:40 45056 ----a-w c:\program files\mozilla firefox\components\QQDownloadFFH.dll
2006-07-27 00:28 . 2005-12-18 21:35 104 --sh--r c:\windows\system32\7DCB17FB20.sys
2006-07-27 00:28 . 2005-12-18 21:35 4704 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-03_07.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 11:16 . 2009-05-04 11:16 16384 c:\windows\temp\Perflib_Perfdata_1ec.dat
+ 2009-05-04 04:00 . 2009-05-04 04:00 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-29 133104]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-31 286720]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 57344]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-30 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 03:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Livestation"=c:\program files\Livestation\Livestation.exe -startup
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"TudouVAStart"=c:\program files\Tudou\??Tudou\TudouVa.exe
"WangWang"="c:\program files\Alisoft\WangWang\WangWang.exe"
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQ.exe"=
"c:\\Program Files\\QQ\\Africa2003\\ChatRoom.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QZone\\Qzone.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQUpdateCenter.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQPet\\QQPetAgent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QzoneMusic.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChatUp.exe"=
"c:\\Program Files\\Tudou\\??Tudou\\TudouVa.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Tencent\\QQChat\\QQChat.exe"=
"c:\\Documents and Settings\\me\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QQ\\Africa2003\\QQDoctor\\QQDoctor.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\me\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Alisoft\\WangWang\\WangWang.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54582:TCP"= 54582:TCP:DefenderPLA 64Reports
"65319:UDP"= 65319:UDP:DefenderPLA AgentAssemblies
"52420:TCP"= 52420:TCP:DefenderPLA BootOffline
"44122:UDP"= 44122:UDP:DefenderPLA DefinitionsNET
"50278:TCP"= 50278:TCP:DefenderPLA 64Files
"37033:UDP"= 37033:UDP:DefenderPLA ShellSetup
"55911:TCP"= 55911:TCP:DefenderPLA BuildPrefetch
"62139:UDP"= 62139:UDP:DefenderPLA tmpOffline

R3 myprotector;myprotector;c:\windows\battc.sys [2009-02-16 69888]
R3 npkycryp;npkycryp; [x]
R3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\DRIVERS\GC75.sys [2003-01-27 39296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-699628355-3258950137-3208839680-1005.job
- c:\documents and settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-29 08:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\QQ\Africa2003\AddEmotion.htm
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Internet Explorer\MenuExt\ûm R0RQ*Q*hˆÅ`]
@="c:\\Program Files\\QQ\\Africa2003\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithList]
@Class="Shell"
"a"="FIREFOX.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Í‘}T
T\OpenWithProgids]
"???_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-699628355-3258950137-3208839680-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\.*Í‘}T
T]
@="???_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\Í‘}T
T_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="c:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*7*I*I*ck_Hr\Components\SectionQQ]
"Installed"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 19:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 11:22
ComboFix2.txt 2009-05-04 09:35
ComboFix3.txt 2009-05-03 16:43
ComboFix4.txt 2009-05-03 07:18
ComboFix5.txt 2009-05-04 11:09

Pre-Run: 4,627,308,544 bytes free
Post-Run: 4,609,748,992 bytes free

268 --- E O F --- 2008-06-13 19:02






Hijack this


DDS (Ver_09-03-16.01) - NTFSx86
Run by me at 19:29:52.26 on Mon 05/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.638 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={9D0E4F53-7C86-40AF-8A61-6CCEFD36025F}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEAC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ???QQ?? - c:\program files\qq\africa2003\AddEmotion.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C4DC211B-EDED-4EE1-9821-48E807DAF121} - hxxp://web.chat.qq.com/ocx/QQChatInstaller.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\uhw7h5nc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\components\QQDownloadFFH.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\firefox\profiles\uhw7h5nc.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\me\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 myprotector;myprotector;c:\windows\battc.sys [2009-2-16 69888]
S3 npkycryp;npkycryp;\??\c:\program files\qq\africa2003\npkycryp.sys --> c:\program files\qq\africa2003\npkycryp.sys [?]
S3 SEWModem;Sony Ericsson GC75 Wireless Modem;c:\windows\system32\drivers\GC75.sys [2006-11-23 39296]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-05-04 17:19 161,792 a------- c:\windows\SWREG.exe
2009-05-04 17:19 98,816 a------- c:\windows\sed.exe
2009-05-04 00:41 2 a------- c:\windows\sysinfo.tmp
2009-04-30 15:26 <DIR> --d----- c:\documents and settings\me\.thumbnails
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gimp-2.6
2009-04-30 15:25 <DIR> --d----- c:\documents and settings\me\.gegl-0.0
2009-04-30 15:24 <DIR> --d----- c:\program files\GIMP-2.0
2009-04-29 17:11 <DIR> --d----- c:\documents and settings\me\.rainlendar2
2009-04-29 17:11 <DIR> --d----- c:\program files\Rainlendar2
2009-04-27 01:49 1,571,687 a------- c:\windows\system32\9158AVCore.dll
2009-04-27 01:49 196,608 a------- c:\windows\system32\ACore.dll
2009-04-27 01:49 188,416 a------- c:\windows\system32\DDVClient.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCtrlLib.dll
2009-04-27 01:49 143,360 a------- c:\windows\system32\DDVCommon.dll
2009-04-27 01:49 122,880 a------- c:\windows\system32\AVModule.dll
2009-04-27 01:49 <DIR> --d----- c:\program files\DuoDuoVideoGame
2009-04-15 04:24 <DIR> --d----- C:\~1
2009-04-14 20:35 <DIR> --d----- C:\pebuilder3110a

==================== Find3M ====================

2009-03-24 10:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 19:26 70,391 a------- C:\MGlogs.zip
2009-03-22 17:01 1,339,834 a------- C:\MGtools.exe
2009-03-22 16:40 22,249 a------- c:\windows\system32\somspring.dat
2009-03-21 02:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-02-21 02:52 388,096 ---s---- c:\windows\system32\MSPolicyAgent.dll
2009-02-16 14:42 69,888 a------- c:\windows\battc.sys
2008-03-10 10:41 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-10-23 18:02 57,080 a------- c:\docume~1\me\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 19:30:11.03 ===============

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 May 2009 - 08:41 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 afuhz

afuhz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 May 2009 - 01:03 PM

Computer seems to be allright, but the scans found a LOT of malware...

Here's the logs

Malwarebytes' Anti-Malware 1.36
Database version: 2073
Windows 5.1.2600 Service Pack 2

5/5/2009 12:10:56 AM
mbam-log-2009-05-05 (00-10-56).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 206111
Time elapsed: 1 hour(s), 8 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mewbomomediapop.popbomo (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mewbomomediapop.popbomo.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadpopup.toolbardetector (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadpopup.toolbardetector.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nezgadpopup.celogc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nezgadpopup.celogc.1 (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\me\My Documents\Downloads\QvodSetup_tom365.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\JetAudio\jetUpdate.exe (Rogue.MalwareSweeper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\PushWare\cpush.dll.vir (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0001773.dll (Adware.Sogou) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\A0001849.dll (Adware.Sogou) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP29\A0003821.dll (Adware.Sogou) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000190.EXE (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP30\A0003876.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP33\A0005125.dll (Adware.Sogou) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0005166.dll (Adware.Sogou) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0005201.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0005205.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0005244.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP42\A0007504.dll (Adware.Cpush) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP44\A0007697.dll (Adware.Cpush) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP45\A0007743.dll (Adware.Cpush) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP48\A0007881.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\waueafe.exe (Malware.Tool) -> Quarantined and deleted successfully.







# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4052 (20090504)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=01f212d5bfeb77419ade4e935a7b04e5
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-04 05:58:16
# local_time=2009-05-05 01:58:16 (+0800, China Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=417862
# found=156
# scan_time=5305
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\fakecom.exe a variant of Win32/TrojanDownloader.Agent.OXL trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\fakecom.exe »NSIS »common32.exe a variant of Win32/TrojanDownloader.Agent.OXL trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\iasnap.dll probably a variant of Win32/Agent.VOB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent39.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent69.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\LB.S.3.0.iso Win32/Packed.Autoit.Gen application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\LB.S.3.0.iso »ISO »DSOFT.EXE Win32/Packed.Autoit.Gen application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\LB.S.3.0.iso »ISO »DSOFT.EXE »AUTOIT »script.au3 Win32/Packed.Autoit.Gen application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\LB.S.3.0.iso »ISO »DSOFT.EXE Win32/Packed.Autoit.Gen application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\LB.S.3.0.iso »ISO »DSOFT.EXE »AUTOIT »script.au3 Win32/Packed.Autoit.Gen application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\.Trashes\501\autorun.inf INF/Conficker worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\.Trashes\501\Recycled.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\.Trashes\501\Secret.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\.Trashes\501\stup.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\.Trashes\501\SysInfo2.Dll Win32/Spy.Delf.UY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx a variant of Win32/Conficker.Gen worm (deleted) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx »UPX v12_m2_dll a variant of Win32/Conficker.Gen worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\me\Desktop\thumb drive\samsung pics\Phim nguoi lon.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\hjt\HiJackThis\backups\backup-20090323-140222-475.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Internet Explorer\icwres.dll a variant of Win32/Agent.ZFU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Internet Explorer\PLUGINS\icwres.dll probably a variant of Win32/Agent.ZFU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090322-203744-935.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-022910-874.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-023039-557.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-024616-995.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-025259-247.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-030449-421.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-132447-794.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090323-132651-732.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090415-000709-703.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\ZFZ.PIF.vir a variant of Win32/AutoRun.Agent.IE worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\cddd.pif.vir a variant of Win32/AutoRun.Agent.IE worm (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\cddd.pif.vir »RAR »ÕÕƬ .exe a variant of Win32/AutoRun.Agent.IE worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\Common Files\PushWare\cpush0.dll.vir a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\Common Files\PushWare\Uninst.exe.vir Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Intel\baiduc.dll.vir probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Intel\pctools_2009320_0.dll.vir probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\acpidisk.sys.vir a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pnpmem.sys.vir probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090122.exe.vir multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090122.exe.vir »NSIS »sogou0116.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090122.exe.vir »NSIS »sogou0116.exe »NSIS »ad10987-1.14.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090122.exe.vir »NSIS »sogou0116.exe »NSIS »ad10987-1.14.exe »NSIS »cpush.dll a variant of Win32/Adware.Cinmus application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090122.exe.vir »NSIS »sogou0116.exe »NSIS »ad10987-1.14.exe »NSIS »Uninst.exe Win32/Adware.Cinmus application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090122.exe.vir »NSIS »sogou0116.exe »NSIS »dr20080807.exe Win32/Spy.Agent.NJK trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090416.exe.vir multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090416.exe.vir »NSIS »sgcpu.exe multiple infiltrations (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090416.exe.vir »NSIS »sgcpu.exe »NSIS »cpush.dll a variant of Win32/Adware.Cinmus application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\20090416.exe.vir »NSIS »sgcpu.exe »NSIS »Uninst.exe Win32/Adware.Cinmus application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\~my1.tmp.vir a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\~my16.tmp.vir a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\~my1E.tmp.vir a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Temp\~myB.tmp.vir a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0001763.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0001764.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP20\A0002837.exe a variant of Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP20\A0002838.exe Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP20\A0002839.exe a variant of Win32/Agent.ZFU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP20\A0002840.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003005.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003010.pif a variant of Win32/AutoRun.Agent.IE worm (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003010.pif »RAR »ÕÕƬ .exe a variant of Win32/AutoRun.Agent.IE worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003011.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003012.PIF a variant of Win32/AutoRun.Agent.IE worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003093.exe Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21\A0003094.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003177.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003235.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003238.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003252.dll a variant of Win32/Agent.ZFU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003254.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003318.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003375.exe Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003396.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP23\A0003413.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP25\A0003564.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP26\A0003619.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP26\A0003630.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP27\A0003645.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP27\A0003665.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP28\A0003683.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP29\A0003804.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP29\A0003834.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000368.EXE Win32/Packed.Autoit.Gen application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000368.EXE »AUTOIT »script.au3 Win32/Packed.Autoit.Gen application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000377.EXE Win32/Packed.Autoit.Gen application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000377.EXE »AUTOIT »script.au3 Win32/Packed.Autoit.Gen application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP30\A0003860.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP30\A0003882.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP30\A0003899.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP30\A0003967.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP30\A0003985.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP32\A0005008.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP33\A0005041.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP33\A0005057.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP33\A0005096.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP33\A0005107.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0005134.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0005148.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP34\A0005178.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP35\A0005211.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0005230.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0005250.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP36\A0005343.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0005372.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0005399.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0006399.exe Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0006400.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP40\A0006428.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP40\A0006478.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP41\A0007478.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0007530.exe Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0007531.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0007559.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0007659.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP43\A0007680.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP44\A0007709.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP45\A0007730.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP46\A0007764.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP46\A0007822.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP48\A0007855.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP48\A0007882.dll a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP48\A0007883.exe Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP48\A0007884.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0007982.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0007984.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008070.exe Win32/TrojanDownloader.Agent.OXL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008071.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008316.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008317.sys probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008589.exe a variant of Win32/TrojanDownloader.Agent.OXL trojan (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008589.exe »NSIS »common32.exe a variant of Win32/TrojanDownloader.Agent.OXL trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008590.dll probably a variant of Win32/Agent.VOB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008591.inf INF/Conficker worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008592.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008593.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008594.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008595.Dll Win32/Spy.Delf.UY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008596.exe a variant of Win32/AutoRun.PD worm (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008597.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008598.dll a variant of Win32/Agent.ZFU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008599.dll probably a variant of Win32/Agent.ZFU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008600.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008601.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008602.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008603.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008604.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008605.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008606.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008607.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP49\A0008608.dll probably a variant of Win32/Adware.Cinmus application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP9\A0001735.sys a variant of Win32/Ysmarsys trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\MSPolicyAgent.dll.txt probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\xiainla.dll a variant of Win32/Delf.NNM trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\Com\1.2.6\WndHook.dll a variant of Win32/Agent.VOB trojan (unable to clean - deleted) 00000000000000000000000000000000




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users