Malware Virus Problems

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

< 1 2

Malware Virus Problems

Options

wayjing View Member Profile	Dec 24 2007, 04:45 AM Post #16
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Ni Hao wong,Well for one the firewall the only way to make it appear in the tray is go into safe mode and unplug Internet restart computer plug it back in but it doesn't seem to be blocking anything and the major scanners like panda, trendmicro and bitdefender will not run.Another thing I noticed is when I start the computer after I put in the pass word blue screen appears in the bottom of the screen theres a one inch black boarder and when the desktop shows the start button and clock area are black for a while. In the past when I had viruses etc...the same thing would happen with the screen. Thanks so much,Wayjing p.s I noticed your Chinese symbol (wong) Ni Hao wong,Well for one the firewall the only way to make it appear in the tray is go into safe mode and unplug Internet restart computer plug it back in but it doesn't seem to be blocking anything and the major scanners like panda, trendmicro and bitdefender will not run.Another thing I noticed is when I start the computer after I put in the pass word blue screen appears in the bottom of the screen theres a one inch black boarder and when the desktop shows the start button and clock area are black for a while. In the past when I had viruses etc...the same thing would happen with the screen. Thanks so much,Wayjing p.s I noticed your Chinese symbol (wong)

wayjing View Member Profile	Dec 24 2007, 04:59 AM Post #17
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Ni Hao wong,Well for one the firewall the only way to make it appear in the tray is go into safe mode and unplug Internet restart computer plug it back in but it doesn't seem to be blocking anything and the major scanners like panda, trendmicro and bitdefender will not run.Another thing I noticed is when I start the computer after I put in the pass word blue screen appears in the bottom of the screen theres a one inch black boarder and when the desktop shows the start button and clock area are black for a while. In the past when I had viruses etc...the same thing would happen with the screen. Thanks so much,Wayjing p.s I noticed your Chinese symbol (wong) thumbup.gif

Yourhighness View Member Profile	Dec 28 2007, 04:49 PM Post #18
The BSG Malware Fighter Group: HJT Team Coach Posts: 6,644 Joined: 20-April 06 From: Hamburg Member No.: 64,788	Hey Wayjing, sorry for the delay. With the christmas holidays and new year, its been rather busy / short staffed and such causes delays. Apologies for that. I still have not received feedback yet, so we are doing it a different way. Step #1 Please click this link --> http://www.virustotal.com/flash/index_en.html When the virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit: C:\WINDOWS\PATCH.EXE Once that scan has finished, save the results somewhere for posting it here later. Now please repeat the above for the following file: C:\WINDOWS\system32\dfeadc_s.dll Please post back the results of the scan in your next post. Step #2 Now please navigate to: Start >> Run... Type: Combofix /u and hit Enter Step #3 Please download ComboFix from here to receive a fresh and most up-to-date version of ComboFix. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.)* Close any open browsers Double click ComboFix.exe and follow the prompts. When finished, it shall produce a log for you, combofix.txt. Post that log in your next reply together with a new HijackThis log Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall Step #4 Please post back with the results from Virustotal for both files above, a fresh HijackThis log and the ComboFix log. Thanks. -------------------- I will be scarce from mid July til end of October and from December til May. If you need to contact me or I havent replied to a topic of yours, please send a pm - "How did I get infected?" - "Safe-hex" - Member of UNITE -

wayjing View Member Profile	Dec 29 2007, 04:05 AM Post #19
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Hello Yourhighness, I posted the logs but I couldn't find C:\WINDOWS\system32\dfeadc_s.dll looked and did a search but know luck. File Patch.exe received on 12.26.2007 13:29:59 (CET) Antivirus Version Last Update Result AhnLab-V3 2007.12.26.10 2007.12.26 - AntiVir 7.6.0.46 2007.12.25 - Authentium 4.93.8 2007.12.26 - Avast 4.7.1098.0 2007.12.26 - AVG 7.5.0.516 2007.12.25 - BitDefender 7.2 2007.12.26 - CAT-QuickHeal 9.00 2007.12.25 - ClamAV 0.91.2 2007.12.26 - DrWeb 4.44.0.09170 2007.12.26 - eSafe 7.0.15.0 2007.12.25 - eTrust-Vet 31.3.5400 2007.12.24 - Ewido 4.0 2007.12.26 - FileAdvisor 1 2007.12.26 - Fortinet 3.14.0.0 2007.12.26 - F-Prot 4.4.2.54 2007.12.25 - F-Secure 6.70.13030.0 2007.12.26 - Ikarus T3.1.1.15 2007.12.26 - Kaspersky 7.0.0.125 2007.12.26 - McAfee 5192 2007.12.24 - Microsoft 1.3109 2007.12.26 - NOD32v2 2747 2007.12.25 - Norman 5.80.02 2007.12.26 - Panda 9.0.0.4 2007.12.25 - Prevx1 V2 2007.12.26 - Rising 20.24.21.00 2007.12.26 - Sophos 4.24.0 2007.12.26 - Sunbelt 2.2.907.0 2007.12.21 - Symantec 10 2007.12.26 - TheHacker 6.2.9.168 2007.12.22 - VBA32 3.12.2.5 2007.12.24 - VirusBuster 4.3.26:9 2007.12.26 - Webwasher-Gateway 6.6.2 2007.12.26 - Additional information File size: 286720 bytes MD5: 19e73d5a247129160e27637328803475 SHA1: c2df5522ed494c66124f881db54e654d72d908ee PEiD: Armadillo v1.71 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:54:21 PM, on 12/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe E:\Program Files\a-squared Anti-Malware\a2service.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe -- End of file - 6841 bytes ComboFix 07-12-21.4 - richard 2007-12-29 16:40:12.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.489 [GMT -8:00] Running from: C:\Documents and Settings\richard\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 ))))))))))))))))))))))))))))))) . 2007-12-28 18:10 . 2007-12-28 18:10 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-12-25 18:38 . 2007-12-25 18:38 <DIR> d-------- C:\Program Files\LizardTech 2007-12-23 19:58 . 2007-12-23 21:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-23 19:58 . 2007-12-23 19:58 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-19 23:13 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-19 23:12 . 2007-12-19 23:13 <DIR> d-------- C:\Program Files\Java 2007-12-19 23:10 . 2007-12-19 23:10 <DIR> d-------- C:\Program Files\Common Files\Java 2007-12-18 18:47 . 2007-12-18 18:47 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-12-18 08:18 . 2007-12-18 08:18 <DIR> d-------- C:\Documents and Settings\richard\DoctorWeb 2007-12-18 00:45 . 2007-12-18 00:45 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-12-18 00:45 . 2007-12-18 00:45 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-12-18 00:45 . 2007-12-18 00:45 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-12-17 12:48 . 2007-12-17 12:48 <DIR> d-------- C:\Downloads 2007-12-16 21:42 . 2007-12-16 21:44 <DIR> d-------- C:\ERDNT 2007-12-16 11:10 . 2007-12-16 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2007-12-16 10:31 . 2007-12-16 11:19 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2007-12-09 09:36 . 2004-08-29 06:22 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll 2007-12-07 23:39 . 2007-07-30 19:19 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-12-07 23:39 . 2007-07-30 19:19 53,080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe 2007-12-07 10:10 . 2007-12-18 14:02 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com 2007-12-07 08:05 . 2007-12-07 08:05 <DIR> d-------- C:\Documents and Settings\richard\Application Data\SUPERAntiSpyware.com 2007-12-07 08:05 . 2007-12-07 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-12-07 08:03 . 2007-12-07 08:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-06 09:35 . 2007-12-21 00:12 <DIR> d-------- C:\Program Files\EsetOnlineScanner 2007-12-06 08:53 . 2007-12-06 08:53 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Cyberlink 2007-12-04 18:47 . 2007-12-21 16:30 <DIR> d-------- C:\Documents and Settings\richard\.housecall6.6 2007-12-04 17:29 . 2007-12-04 17:28 39,823,741 --a------ C:\WINDOWS\LPT$VPN.859 2007-12-04 17:28 . 2007-12-04 17:28 39,823,741 --a------ C:\WINDOWS\VPTNFILE.859 2007-12-04 16:37 . 2007-12-04 17:28 <DIR> d-------- C:\WINDOWS\AU_Temp 2007-12-04 14:08 . 2007-12-04 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles 2007-12-03 15:49 . 2007-12-04 17:30 <DIR> d-------- C:\WINDOWS\report 2007-12-03 15:49 . 2007-12-29 14:00 <DIR> d-------- C:\WINDOWS\AU_Backup 2007-12-03 15:49 . 2007-12-04 17:28 1,899,383 --a------ C:\WINDOWS\tsc.ptn 2007-12-03 15:49 . 2007-12-04 17:28 1,163,344 --a------ C:\WINDOWS\vsapi32.dll 2007-12-03 15:49 . 2007-12-04 17:28 267,845 --a------ C:\WINDOWS\tsc.exe 2007-12-03 15:49 . 2007-12-04 17:28 86,094 --a------ C:\WINDOWS\BPMNT.dll 2007-12-03 15:49 . 2007-12-04 17:28 71,749 --a------ C:\WINDOWS\hcextoutput.dll 2007-12-03 15:49 . 2007-12-04 18:36 823 --a------ C:\WINDOWS\tsc.ini 2007-12-03 15:45 . 2007-12-03 15:45 <DIR> d-------- C:\WINDOWS\AU_Log 2007-12-03 15:45 . 2007-12-03 15:45 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL 2007-12-03 15:45 . 2007-12-29 14:00 286,720 --a------ C:\WINDOWS\PATCH.EXE 2007-12-03 15:45 . 2007-12-03 15:45 69,689 --a------ C:\WINDOWS\UNZIP.DLL 2007-12-02 19:29 . 2007-12-02 19:29 0 --a------ C:\WINDOWS\VPC32.INI 2007-12-02 19:08 . 2007-12-02 19:08 <DIR> d-------- C:\WINDOWS\system32\CBA 2007-12-02 19:08 . 2007-12-02 19:09 <DIR> d-------- C:\Program Files\Symantec 2007-12-02 19:08 . 2007-12-14 21:22 <DIR> d-------- C:\Program Files\NavNT 2007-12-02 19:08 . 2001-09-24 08:29 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386 2007-12-02 19:08 . 2001-09-24 08:29 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-02 19:08 . 2001-09-24 08:29 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-02 19:08 . 2001-09-24 08:29 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL 2007-12-02 19:00 . 2007-12-02 19:00 16 --a------ C:\WINDOWS\system32\coh.cache 2007-12-02 18:47 . 2007-12-02 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-02 18:46 . 2007-12-02 19:33 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared 2007-12-02 18:36 . 2007-12-06 16:42 1,523,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-02 18:36 . 2007-12-06 16:42 599,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-02 18:36 . 2007-12-06 16:42 59,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-02 18:36 . 2007-12-06 16:42 22,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-02 18:23 . 2007-12-02 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Martau 2007-12-02 18:22 . 2007-12-14 12:25 <DIR> d-------- C:\Program Files\Total Uninstall 4 2007-12-01 23:24 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2007-11-29 18:41 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX 2007-11-29 18:41 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll 2007-11-29 16:24 . 2007-01-18 13:38 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-11-29 11:18 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-11-29 07:44 . 2007-11-29 07:44 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-29 00:40 . 2007-11-29 00:40 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Uniblue 2007-11-27 20:23 . 2007-11-27 20:23 <DIR> d-------- C:\WINDOWS\McAfee.com 2007-11-26 22:47 . 2007-11-26 22:47 230 --a------ C:\WINDOWS\system32\spupdsvc.inf 2007-11-24 22:10 . 2007-12-23 20:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-11-24 22:10 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-11-22 14:48 . 2007-11-22 14:48 <DIR> d-------- C:\Program Files\Agnitum 2007-11-18 14:41 . 2007-11-18 14:41 764 --a------ C:\rapport.rar 2007-11-16 21:18 . 2007-12-23 19:58 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-16 21:18 . 2007-12-23 19:58 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-12 23:13 . 2007-12-29 00:00 69 --a------ C:\WINDOWS\NeroDigital.ini 2007-11-12 22:54 . 2007-11-12 22:54 <DIR> d-------- C:\WINDOWS\Cache 2007-11-12 22:47 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-11-12 22:47 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-11-12 22:47 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-11-12 22:47 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll 2007-11-12 22:47 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-11-12 22:47 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-11-12 22:46 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll 2007-11-12 22:44 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-11-12 22:35 . 2007-11-12 22:35 <DIR> d-------- C:\WINDOWS\InCD 2007-11-12 22:35 . 2007-11-12 22:45 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-11-12 22:35 . 2007-11-12 22:48 <DIR> d-------- C:\Program Files\Ahead 2007-11-12 22:35 . 2004-09-07 02:09 2,146,304 --------- C:\WINDOWS\NuNinst.exe 2007-11-12 22:35 . 2004-09-07 16:27 91,136 --------- C:\WINDOWS\system32\drivers\InCDfs.sys 2007-11-12 22:35 . 2004-10-18 22:48 51,969 --------- C:\WINDOWS\NuNinst.cfg 2007-11-12 22:35 . 2004-09-07 16:27 28,544 --------- C:\WINDOWS\system32\drivers\InCDpass.sys 2007-11-12 22:35 . 2004-09-07 16:29 5,760 --------- C:\WINDOWS\system32\drivers\InCDrec.sys 2007-11-12 22:34 . 2003-12-05 01:46 10,368 --------- C:\WINDOWS\system32\drivers\pfc.sys 2007-11-12 22:32 . 2007-11-12 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2007-11-12 22:31 . 2007-11-12 22:31 <DIR> d-------- C:\Program Files\CyberLink 2007-11-12 22:31 . 2004-03-11 13:27 40,960 --a------ C:\Program Files\Uninstall_CDS.exe 2007-11-11 18:58 . 2007-11-11 18:58 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\vlc 2007-11-06 23:56 . 2007-11-06 23:56 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Hewlett-Packard 2007-11-06 23:34 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-11-06 23:32 . 2007-11-06 23:34 <DIR> d-------- C:\Program Files\Hewlett-Packard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-03 06:18 --------- d-----w C:\Documents and Settings\richard\Application Data\Lavasoft 2007-11-22 22:48 --------- d-----w C:\Program Files\Common Files\Agnitum Shared 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-13 07:58 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-13 06:33 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-07 20:24 --------- d-----w C:\Documents and Settings\richard\Application Data\AdobeUM 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-20 01:39 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2007-09-06 07:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe 2007-07-23 20:19 5 --sha-w C:\WINDOWS\system32\dfeadc_s.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2002-06-14 16:20] "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\rundll32.exe] "Cmaudio"="RunDll32 cmicnfg.cpl" [] "SoundMan"="SOUNDMAN.EXE" [2004-08-29 06:22 C:\WINDOWS\SOUNDMAN.EXE] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-18 00:45] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] E:\Program Files\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk] backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] 2006-01-12 20:52 483328 --a------ E:\Distillr\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-04 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery] 2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2002-12-17 11:40 49152 -ra------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2003-03-11 00:08 172032 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] 2004-09-07 05:25 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar] E:\Program Files\Multimedia Launcher\PowerBar.exe /AtBootTime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2003-12-08 17:35 32768 --a------ E:\Program Files\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Total Uninstall Agent] 2007-08-19 22:48 602416 --a------ C:\Program Files\Total Uninstall 4\TuAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] E:\Acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AVP"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe "PowerBar"= [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" "<NO NAME>"= "MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 16:19] R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2002-06-14 16:20] R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 16:20] R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 16:19] R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 16:20] R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 16:20] R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 16:20] R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 16:20] R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 16:20] R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 16:20] R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 16:20] R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 16:20] S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-02-25 18:26] S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 18:26] S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 18:26] . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 16:41:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\NavLogon.dll . Completion time: 2007-12-29 16:42:25 C:\ComboFix2.txt ... 2007-12-20 23:31 C:\ComboFix3.txt ... 2007-12-19 15:25 . 2007-11-25 13:56:40 --- E O F --- Thanks so much and Happy New Year,Wayjing

wayjing View Member Profile	Dec 31 2007, 03:55 AM Post #20
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Hello your Yourhighness, I couldn't open the new email message it said,Sorry, the link that brought you to this page seems to be out of date or broken. Thank you Wayjing

Yourhighness View Member Profile	Jan 1 2008, 05:40 AM Post #21
The BSG Malware Fighter Group: HJT Team Coach Posts: 6,644 Joined: 20-April 06 From: Hamburg Member No.: 64,788	Hey Wayjing, hope you got a good start into 2008, I did . Step #1 I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause: False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time. Therefore please go to add/remove in the control panel and remove either NOD32 or Norton. Step #2 Download and install AVG Anti-Spyware v7.5. After download, double click on the file to launch the install process. Choose a language, click "OK" and then click "Next". Read the "License Agreement" and click "I Agree". Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install". After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, then you may have to run your scan in normal mode and advise your helper afterwards.) Scan with AVG Anti-Spyware as follows: Click on the "Scanner" button and choose the "Settings" tab. Under "*How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware. Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings. Under "Reports" select "Automatically generate report after every scan" and UNcheck* "Only if threats were found". Click the "Scan" tab to return to scanning options. Click "Complete System Scan" to start. When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there. You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine. IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as" - the default file name will be in date/time format as follows: Report-Scan-yyyymmdd-hhmmss.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response. Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection. AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version. Step #3* Please post back with the Report-Scan-yyyymmdd-hhmmss.txt from AVG Antiy-Spyware and a fresh HijackThis log. Thanks. -------------------- I will be scarce from mid July til end of October and from December til May. If you need to contact me or I havent replied to a topic of yours, please send a pm - "How did I get infected?" - "Safe-hex" - Member of UNITE -

wayjing View Member Profile	Jan 2 2008, 09:03 AM Post #22
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Hey Yourhighness , really not sure if I did the avg scan right but it only came up with some trackingcookies. Oh I started getting pop ups in English and Chinese. AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 4:58:36 PM 1/2/2008 + Scan result: :mozilla.54:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.67:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.71:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.72:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.73:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned. :mozilla.57:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.59:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.58:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.82:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.84:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.85:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.86:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.83:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.77:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.78:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.79:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.80:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.81:C:\Documents and Settings\richard\Application Data\Mozilla\Firefox\Profiles\2hefd7j8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. ::Report end Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:03:39 PM, on 1/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60 O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe -- End of file - 6080 bytes Thanks again Wayjing

Yourhighness View Member Profile	Jan 2 2008, 04:31 PM Post #23
The BSG Malware Fighter Group: HJT Team Coach Posts: 6,644 Joined: 20-April 06 From: Hamburg Member No.: 64,788	Hey Wayjing, Step #1 Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only) Double-click ATF-Cleaner.exe to run the program. Under Main "Select Files to Delete" choose: Select All. Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Step #2 Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close ALL applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. The logs can be quite lengthy..use two post if you need to get them all in. Step #3 Please post back with the main.txt and the extra.txt from the DSS scan. Thanks. -------------------- I will be scarce from mid July til end of October and from December til May. If you need to contact me or I havent replied to a topic of yours, please send a pm - "How did I get infected?" - "Safe-hex" - Member of UNITE -

wayjing View Member Profile	Jan 2 2008, 08:35 PM Post #24
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Hey Yourhighness,Well I downloaded ATF and no problem but with the dss it would only produce one log I tried again and the same thing happened,will send the one log. Thanks Wayjing Deckard's System Scanner v20071014.68 Run by richard on 2008-01-03 09:23:09 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as richard.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:23:11 AM, on 1/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe E:\Program Files\a-squared Anti-Malware\a2service.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\richard\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\richard.exe C:\WINDOWS\system32\wbem\wmiprvse.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60 O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133 O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe -- End of file - 6738 bytes -- Files created between 2007-12-03 and 2008-01-03 ----------------------------- 2008-01-02 00:41:58 0 d-------- C:\Documents and Settings\richard\Application Data\Grisoft 2008-01-02 00:41:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-28 18:10:52 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-12-25 18:38:15 0 d-------- C:\Program Files\LizardTech 2007-12-19 23:12:31 0 d-------- C:\Program Files\Java 2007-12-19 23:10:16 0 d-------- C:\Program Files\Common Files\Java 2007-12-18 18:47:35 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-12-18 08:18:20 0 d-------- C:\Documents and Settings\richard\DoctorWeb 2007-12-18 00:45:56 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System> 2007-12-17 12:48:13 0 d-------- C:\Downloads 2007-12-16 21:42:15 0 d-------- C:\ERDNT 2007-12-16 11:10:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2007-12-16 10:31:07 0 d-------- C:\Program Files\Common Files\Panda Software 2007-12-07 10:10:47 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com 2007-12-07 08:05:16 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-12-07 08:05:08 0 d-------- C:\Documents and Settings\richard\Application Data\SUPERAntiSpyware.com 2007-12-07 08:03:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-06 09:35:08 0 d-------- C:\Program Files\EsetOnlineScanner 2007-12-06 08:53:21 0 d-------- C:\Documents and Settings\richard\Application Data\Cyberlink 2007-12-04 18:47:22 0 d-------- C:\Documents and Settings\richard\.housecall6.6 2007-12-04 16:37:57 0 d-------- C:\WINDOWS\AU_Temp 2007-12-04 14:08:37 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles 2007-12-03 15:49:26 0 d-------- C:\WINDOWS\report 2007-12-03 15:49:09 0 d-------- C:\WINDOWS\AU_Backup 2007-12-03 15:49:08 267845 --a------ C:\WINDOWS\tsc.exe <Not Verified; Trend Micro Inc.; TrendSystemCleaner> 2007-12-03 15:49:08 71749 --a------ C:\WINDOWS\hcextoutput.dll 2007-12-03 15:49:07 1163344 --a------ C:\WINDOWS\vsapi32.dll <Not Verified; Trend Micro Inc.; VSAPI> 2007-12-03 15:49:07 86094 --a------ C:\WINDOWS\BPMNT.dll <Not Verified; Trend Micro Inc.; VSAPI> 2007-12-03 15:45:24 0 d-------- C:\WINDOWS\AU_Log 2007-12-03 15:45:18 69689 --a------ C:\WINDOWS\UNZIP.DLL <Not Verified; Trend Micro Inc.; Trend Active Update 1.32> 2007-12-03 15:45:18 507904 --a------ C:\WINDOWS\TMUPDATE.DLL <Not Verified; Trend Micro Inc.; ActiveUpdate Module> 2007-12-03 15:45:18 286720 --a------ C:\WINDOWS\PATCH.EXE <Not Verified; Trend Micro Inc.; ActiveUpdate Module> 2007-12-03 13:14:24 0 dr-h----- C:\Documents and Settings\richard\Recent -- Find3M Report --------------------------------------------------------------- 2008-01-01 23:50:48 0 d-------- C:\Program Files\Symantec 2008-01-01 23:50:36 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-12-19 23:15:12 5140 --a------ C:\WINDOWS\mozver.dat 2007-12-19 23:10:16 0 d-------- C:\Program Files\Common Files 2007-12-16 11:23:25 0 d-------- C:\Documents and Settings\richard\Application Data\Help 2007-12-14 12:25:00 0 d-------- C:\Program Files\Total Uninstall 4 2007-12-02 22:18:33 0 d-------- C:\Documents and Settings\richard\Application Data\Lavasoft 2007-11-29 07:44:44 0 d-------- C:\Program Files\Trend Micro 2007-11-22 14:48:48 0 d-------- C:\Program Files\Common Files\Agnitum Shared 2007-11-22 14:48:45 0 d-------- C:\Program Files\Agnitum 2007-11-12 23:58:46 0 d-------- C:\Program Files\Common Files\Adobe 2007-11-12 22:48:10 0 d-------- C:\Program Files\Ahead 2007-11-12 22:45:42 0 d-------- C:\Program Files\Common Files\Ahead 2007-11-12 22:33:14 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-12 22:31:59 0 d-------- C:\Program Files\CyberLink 2007-11-07 12:24:00 0 d-------- C:\Documents and Settings\richard\Application Data\AdobeUM 2007-11-06 23:56:47 0 d-------- C:\Documents and Settings\richard\Application Data\Hewlett-Packard 2007-11-06 23:34:33 0 d-------- C:\Program Files\Hewlett-Packard 2007-11-05 14:29:57 0 d-------- C:\Documents and Settings\richard\Application Data\Yahoo! 2007-10-22 20:41:30 1806 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-21 11:09:48 192 --a------ C:\WINDOWS\system32\tbhi.dat -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [06/14/2002 04:20 PM] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 11:22 AM] "SoundMan"="SOUNDMAN.EXE" [08/29/2004 06:22 AM C:\WINDOWS\SOUNDMAN.EXE] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [12/18/2007 12:45 AM] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 04:00 AM] "a-squared"="E:\Program Files\a-squared Anti-Malware\a2guard.exe" [12/28/2007 11:50 AM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SASSEH.DLL [12/20/2006 01:55 PM 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] E:\Program Files\SASWINLO.dll 04/19/2007 01:41 PM 294912 E:\Program Files\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk] backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "E:\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar] "E:\Program Files\Multimedia Launcher\PowerBar.exe" /AtBootTime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "E:\Program Files\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Total Uninstall Agent] "C:\Program Files\Total Uninstall 4\TuAgent.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] E:\Acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AVP"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe "PowerBar"= [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" "<NO NAME>"= "MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto -- End of Deckard's System Scanner: finished at 2008-01-03 09:23:40 ------------

Yourhighness View Member Profile	Jan 4 2008, 12:09 AM Post #25
The BSG Malware Fighter Group: HJT Team Coach Posts: 6,644 Joined: 20-April 06 From: Hamburg Member No.: 64,788	Hey Wayjing, Can you please have a look if the extra.txt file created by DSS is present in the C:\Deckard\System Scanner folder? I really want that log. If you cannot find the log, then please do the following: Close all programs and/or windows so that you have nothing open and are at your Desktop. Click on Start, then click on Run. In the Open: field copy and paste the entire contents inside the CODE box below and press the OK button. QUOTE "%userprofile%\Desktop\dss.exe" /config This will open up DSS configuration. Click on Check All. Click Scan. DSS will now run again. When finished, please post back both logs that open in Notepad: main.txt and extra.txt. -------------------- I will be scarce from mid July til end of October and from December til May. If you need to contact me or I havent replied to a topic of yours, please send a pm - "How did I get infected?" - "Safe-hex" - Member of UNITE -

Yourhighness View Member Profile	Jan 6 2008, 12:43 PM Post #27
The BSG Malware Fighter Group: HJT Team Coach Posts: 6,644 Joined: 20-April 06 From: Hamburg Member No.: 64,788	Hey Wayjing, thats oke. Two fresh ones is just as good . Lets continue. Please make sure that the windows firewall is not running, as you have Outpost Firewall installed and this might cause conflicts. A tutorial on how to do it, can be found here. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Emule). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it. It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology." It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (ie the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves. Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office." Step #1 Please copy and paste the following text into Notepad: CODE sc delete CLTNetCnService sc delete AVP del services.bat Save this as "services.bat" Choose to save as all files and place it on your Desktop. Double-click services.bat. Soon it should disappear from your Desktop; this is fine. Step #2* Please download the OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): c:\program files\common files\symantec shared C:\Program Files\Symantec c:\program files\kaspersky lab\kaspersky anti-virus 6.0 C:\WINDOWS\system32\tbhi.dat C:\WINDOWS\system32\tmp.reg Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply. Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Step #2 Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: LiveUpdate 1.6 (Symantec Corporation) Step #3 Please post back with the log from OTMoveIt and a fresh HijackThis log. Please also let me know how your pc is doing at the moment. Thanks. -------------------- I will be scarce from mid July til end of October and from December til May. If you need to contact me or I havent replied to a topic of yours, please send a pm - "How did I get infected?" - "Safe-hex" - Member of UNITE -

wayjing View Member Profile	Jan 11 2008, 08:23 AM Post #28
Member Group: Members Posts: 18 Joined: 26-November 07 From: china Member No.: 172,589	Hello Yourhighness,sorry for the delay in my reply.Startup is very slow and still can't get the firewall to appear in the tray.The major scanners like trendmicro,panda,bitdefender wont load and some pop ups .Thanks again for all your hard work.Wayjing Results from OTMoveIt,c:\program files\common files\symantec shared\CCPD-LC moved successfully. c:\program files\common files\symantec shared moved successfully. C:\Program Files\Symantec\LiveUpdate moved successfully. C:\Program Files\Symantec moved successfully. File/Folder c:\program files\kaspersky lab\kaspersky anti-virus 6.0 not found. C:\WINDOWS\system32\tbhi.dat moved successfully. C:\WINDOWS\system32\tmp.reg moved successfully. Created on 01/07/2008 11:42:55 New hijack logLogfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:09 PM, on 1/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\a-squared Anti-Malware\a2service.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe E:\ESET.NOD32.v2.70.23.WinNT2K2K3XP.\NOD32 Update Viewer 2.06.2.0\NOD32view_2.06.2.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133 O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe -- End of file - 6750 bytes

Yourhighness View Member Profile	Jan 11 2008, 01:57 PM Post #29
The BSG Malware Fighter Group: HJT Team Coach Posts: 6,644 Joined: 20-April 06 From: Hamburg Member No.: 64,788	Hey Wayjing, no problem. Lets get a fresh look into your system then. Step #1 Double-click ATF-Cleaner.exe to run the program. Under Main "Select Files to Delete" choose: Select All. Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Step #2 Close ALL applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. The logs can be quite lengthy..use two post if you need to get them all in. Step #3 Please go to Eset Onlinescan (NOD32) (You need to use InternetExplorer or enable IEView in Firefox) You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use Now click Start Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes Click Start (the Onlinescanner will now prepare itself for running on your pc) To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications" Press Scan The Onlinescan will now start and scan your pc (this could take a while) When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt The Scanresults will now open in Notepad Click into the text area, right-click and chose "select all" (or use ctrl+a) Right-click again and chose "copy" (or ctrl+c) Close Notepad Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created. Step #4 Please post back with the main.txt and the extra.txt of the DSS.exe and the C:\Program Files\EsetOnlineScanner\log.txt from the Onlinescan. Thanks. -------------------- I will be scarce from mid July til end of October and from December til May. If you need to contact me or I havent replied to a topic of yours, please send a pm - "How did I get infected?" - "Safe-hex" - Member of UNITE -

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

2 Pages

< 1 2

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 8th November 2009 - 07:20 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides