hxxp://www.go2000.cn/?2 redirection

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

hxxp://www.go2000.cn/?2 redirection, Redirection, and some others

Options

Nikas View Member Profile	Dec 30 2009, 12:14 PM Post #1
Distinguished Member Group: Members Posts: 648 Joined: 3-July 05 From: Singapore Member No.: 25,681	Hi, No sure when did it happened, but I found out recently that IE homepage had been set as hxxp://www.go2000.cn/?2 and unable to change back no matter what. A IE Icon will be created on the desktop each time after I delete it too. At the same time, found out that the HOSTS file had been inserted with a few weird entries that can be seen in the log. When I wanted to immunize with spybot, it stated that I am unable to do it. I couldn't edit the HOSTS file as it says that the access is denied. Attached is the DSS log, mbam, RootRepeal and dr web cureit express scan log. DDS (Ver_09-12-01.01) - NTFSx86 Run by Joseph Gan at 23:36:38.23 on Wed 12/30/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.732 [GMT 8:00] AV: ESET NOD32 Antivirus 3.0 On-access scanning enabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\System32\svchost.exe -k Akamai C:\Program Files\xampp\apache\bin\httpd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\xampp\mysql\bin\mysqld.exe C:\Program Files\xampp\apache\bin\httpd.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\vmnat.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Razer\DeathAdder\razerhid.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\PROGRA~1\FREEDO~1\fdm.exe C:\Documents and Settings\Joseph Gan\Desktop\cureit.exe C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\RarSFX1\gen4xq.exe C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\RarSFX1\na5kwXP.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Downloads\RootRepeal.exe C:\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.go2000.cn/?2 uInternet Settings,ProxyOverride = .local BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Easy Read: {235a3acd-ebe5-46b2-9bae-b1960f9dc791} - c:\program files\eread\eread\EasyRead.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: AddTask Class: {6a19c29d-ed45-4483-8999-9f939c8161f2} - c:\program files\eread\eread\WebHook.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe dRun: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe StartupFolder: c:\docume~1\joseph~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe uPolicies-explorer: NoViewOnDrive = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm IE: Open with &LoadScout... - c:\progra~1\softlo~1\loadsc~1.0\LoadScout.exe/#164 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\program files\vmware\vmware workstation\vsocklib.dll DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll LSA: Authentication Packages = msv1_0 relog_ap Hosts: 127.0.0.1 http://www.spywareinfo.com Hosts: 218.1.25.1 dl.360safe.com Hosts: 218.1.25.1 bbs.360safe.com Hosts: 218.1.25.1 dl.360.cn Hosts: 218.1.25.1 bbs.360.cn ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\joseph~1\applic~1\mozilla\firefox\profiles\f3gvtnnj.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2090540&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - http://www.google.com FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2090540&SearchSource=2&q= FF - component: c:\documents and settings\joseph gan\application data\mozilla\firefox\profiles\f3gvtnnj.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll FF - component: c:\documents and settings\joseph gan\application data\mozilla\firefox\profiles\f3gvtnnj.default\extensions\piclens@cooliris.com\components\cooliris.dll FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll FF - plugin: c:\documents and settings\joseph gan\application data\mozilla\firefox\profiles\f3gvtnnj.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll FF - plugin: c:\documents and settings\joseph gan\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.automatic-ntlm-auth.trusted-uris - hxxp://127.0.0.1 c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-1-17 39472] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312] R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336] R2 Apache2.2;Apache2.2;c:\program files\xampp\apache\bin\httpd.exe [2009-11-27 24640] R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-9-18 54960] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-9-27 22784] S2 Application ClipBook;Application ClipBook;c:\windows\system32\mqtljk.exe runsrv /name:"application clipbook" /prinum:"32" /cmdline:"c:\windows\system32\mstsef.tsk" --> c:\windows\system32\mqtljk.exe runsrv [?] S2 gupdate1c97ec7ea7c4858;Google Update Service (gupdate1c97ec7ea7c4858);c:\program files\google\update\GoogleUpdate.exe [2009-1-25 133104] S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-8-23 3584] S2 System SSL Messenger;System SSL Messenger;c:\windows\system32\mqtljk.exe runsrv /name:"system ssl messenger" /prinum:"32" /cmdline:"c:\windows\system32\jautdeij.dat" --> c:\windows\system32\mqtljk.exe runsrv [?] S3 cpuz130;cpuz130;\??\c:\docume~1\joseph~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\joseph~1\locals~1\temp\cpuz130\cpuz_x32.sys [?] S3 GarenaPEngine;GarenaPEngine;c:\docume~1\joseph~1\locals~1\temp\RRM44.tmp [2009-12-30 25616] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 NRKCTL32;NRKCTL32;\??\c:\misc program\wcpuid\nrkctl32.sys --> c:\misc program\wcpuid\NRKCTL32.SYS [?] S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2008-12-20 23992] S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [2008-4-23 47552] S3 XDva132;XDva132;\??\c:\windows\system32\xdva132.sys --> c:\windows\system32\XDva132.sys [?] S3 XDva158;XDva158;\??\c:\windows\system32\xdva158.sys --> c:\windows\system32\XDva158.sys [?] S3 XDva165;XDva165;\??\c:\windows\system32\xdva165.sys --> c:\windows\system32\XDva165.sys [?] S3 XDva167;XDva167;\??\c:\windows\system32\xdva167.sys --> c:\windows\system32\XDva167.sys [?] S3 XDva170;XDva170;\??\c:\windows\system32\xdva170.sys --> c:\windows\system32\XDva170.sys [?] S3 XDva215;XDva215;\??\c:\windows\system32\xdva215.sys --> c:\windows\system32\XDva215.sys [?] =============== Created Last 30 ================ 2009-12-30 13:50:20 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-12-24 15:52:00 0 d-----w- c:\program files\common files\Akamai 2009-12-21 15:51:18 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys.do 2009-12-21 15:51:12 0 d-----w- c:\documents and settings\joseph gan\funshion 2009-12-21 15:51:11 0 d-----w- c:\program files\Funshion Online 2009-12-21 09:40:08 503885 ----a-w- c:\windows\system32\jautdeij.dat 2009-12-21 09:40:08 503844 ----a-w- c:\windows\system32\syskbds.drv 2009-12-18 12:01:02 159744 ----a-w- c:\windows\Rockdoc.exe 2009-12-07 23:39:04 2146304 ----a-w- c:\windows\system32\GPhotos.scr 2009-12-06 10:51:57 0 --sh--r- C:\winx.ld 2009-12-06 10:51:55 203836 --sh--r- C:\grldr 2009-12-06 03:21:16 0 d-----r- c:\program files\Skype 2009-12-04 12:07:59 2560 ----a-w- c:\windows\_MSRSTRT.EXE 2009-12-04 11:02:31 0 d-----w- c:\docume~1\joseph~1\applic~1\DTC 2009-12-04 03:45:26 0 d-----w- c:\program files\DTC-Solutions ==================== Find3M ==================== 2009-12-14 16:53:22 98882 ----a-w- c:\windows\War3Unin.dat 2009-12-03 08:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 08:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-08 12:17:05 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-04 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:16:04 31788 ----a-w- c:\windows\fonts\Mumsies.ttf 2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll 2008-12-24 08:19:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat ============= FINISH: 23:37:10.51 =============== Malwarebytes' Anti-Malware 1.42 Database version: 3454 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/30/2009 10:24:12 PM mbam-log-2009-12-30 (22-24-12).txt Scan type: Full Scan (C:\\|) Objects scanned: 412129 Time elapsed: 1 hour(s), 38 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.go2000.cn/?2) Good: (http://www.Google.com) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\(default) (Hijack.HomePage) -> Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://www.go2000.cn/?2) Good: (iexplore.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Joseph Gan\Local Settings\temp\liym.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully. EDIT: Deactivated link in topic title.* This post has been edited by elise025: Jan 15 2010, 03:16 AM Attached File(s) RootRepeal_report_12_31_09__01_13_04_.txt ( 85.91k ) Number of downloads: 2 Attach.txt ( 10.64k ) Number of downloads: 5 DrWeb.Express.txt ( 157bytes ) Number of downloads: 3

sundavis View Member Profile	Jan 3 2010, 06:19 PM Post #2
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370	Hi Nikas, Welcome to BleepingComputer HijackThis Logs and Malware Removal, My name is sundavis, I will be helping you to deal with your Malware problems today. Step1 Please download GMER Rootkit Scanner from Here or Here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. For more info, go to Here for your reference. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply. Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Step2 Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: CODE :reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons /sub HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace /sub HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command /sub HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} /sub HKEY_CLASSES_ROOT\http\shell\open\command /sub Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Step3 Please download OTL and save it to your desktop. Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Click the "Quick Scan" button. Two reports will open, OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized Copy and paste both logs back here in your next reply. In your next reply, please post back: 1.Gmer log 2.SystemLook log 3.OTListIt.txt and Extra.txt Thanks.

Nikas View Member Profile	Jan 3 2010, 08:56 PM Post #3
Distinguished Member Group: Members Posts: 648 Joined: 3-July 05 From: Singapore Member No.: 25,681	Hi sundavis, I appreciate your time to look over my log. I would require a few days before I can get back to you as I am unable to access to my Desktop. Thank you.

sundavis View Member Profile	Jan 4 2010, 12:22 PM Post #4
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370	That's OK. Take your time.

sundavis View Member Profile	Jan 8 2010, 12:48 AM Post #6
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370	Hi Nikas, Please run Gmer in safe mode instead and post the contents in your next reply. Please close all programs and windows before proceeding. Step1 Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from Here : Double-click FixPolicies.exe. Click the "Install" button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. A black box will briefly appear and then close. Exit the program. Step2 Please start OTL on your desktop. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box. CODE :OTL PRC - C:\Windows\Explorer.EXE (Microsoft Corporation) O4 - HKU\.DEFAULT..\Run: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe File not found O4 - HKU\S-1-5-18..\Run: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe File not found :Files C:\program files\jlingk C:\WINDOWS\System32\drivers\etc\hosts C:\WINDOWS\System32\drivers\etc\hosts.20091231-014743.backup C:\docume~1\joseph~1\locals~1\temp\cpuz130\cpuz_x32.sys C:\docume~1\joseph~1\locals~1\temp\RRM44.tmp :Services cpuz130 GarenaPEngine :reg [-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] [-HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command] [-HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] "{871C5380-42A0-1069-A2EA-08002B30309D}"=0x00000000 (0) [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage] @="Open &Home Page" "MUIVerb"="@shdoclc.dll,-10241" "LegacyDisable"="" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command] @=hex(2):22,00,25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,66,00,69,00,6c,\ 00,65,00,73,00,25,00,5c,00,69,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,\ 20,00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,69,00,65,00,78,\ 00,70,00,6c,00,6f,00,72,00,65,00,2e,00,65,00,78,00,65,00,22,00,00,00 :Commands [resethosts] [emptytemp] [start explorer] [Reboot] Click Run Fix button on the top. Click OK and let it run unhindered. OTL will ask to reboot the machine. Please OK the prompt. A report will open. Copy and Paste that report in your next reply. Now, please delete any shortcut icon of IE and including the IE icon in quick launch toolbar on your desktop. If you have problem to delete that fake icon, then please do the following: Right click on the desktop and select properties On desktop tab click Customize Desktop On general tab, click Clean Desktop Now icon Desktop clean up wizard will prompt, select the fake IE icon, follow the prompt and Exit the Wizard. Note: If a folder called Unused Desktop Icons created on the desktop with the fake IE icon in it. Delete this folder and press F5 to flush the desktop. After that, please navigate to C:\Program Files\Internet Explorer folder, right click the iexplore icon send to Desktop(create shortcut). and drag the new IE icon on your desktop to your quick launch toolbar as well. Reset your homepage and tell me how things are running now. In you next reply, please post back: 1.OTL delete log 2.Gmer log 3.New OTL log Thanks This post has been edited by sundavis: Jan 8 2010, 12:54 AM

Nikas View Member Profile	Jan 10 2010, 04:51 AM Post #7
Distinguished Member Group: Members Posts: 648 Joined: 3-July 05 From: Singapore Member No.: 25,681	Hi sundavis, I finally got the GMER to run finish and got the log. Anyway, I am still unable to change my homepage. It goes back to the go2000.cn again. Here's the OTL delete log. All processes killed ========== OTL ========== No active process named Explorer.EXE was found! Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\×ÀÃæÃÀ»¯Ðã deleted successfully. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\×ÀÃæÃÀ»¯Ðã not found. ========== FILES ========== File\Folder C:\program files\jlingk not found. C:\WINDOWS\System32\drivers\etc\hosts moved successfully. C:\WINDOWS\System32\drivers\etc\hosts.20091231-014743.backup moved successfully. File\Folder C:\docume~1\joseph~1\locals~1\temp\cpuz130\cpuz_x32.sys not found. C:\docume~1\joseph~1\locals~1\temp\RRM44.tmp moved successfully. ========== SERVICES/DRIVERS ========== Service cpuz130 stopped successfully! Service cpuz130 deleted successfully! Service GarenaPEngine stopped successfully! Service GarenaPEngine deleted successfully! ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\ deleted successfully. Registry key HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ deleted successfully. Registry key HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\ deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\\"{871C5380-42A0-1069-A2EA-08002B30309D}"\|0x00000000 (0) /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\@\|"\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" /E : value set successfully! HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\\@\|"Open &Home Page" /E : value set successfully! HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\\"MUIVerb"\|"@shdoclc.dll,-10241" /E : value set successfully! HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\\"LegacyDisable"\|"" /E : value set successfully! HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\\@\|hex(2):22,00,25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,66,00,69,00,6c,00,65,00,73,00,25 ,00,5c,00,69,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,65,00,78,00,70,00,6c,00,6f,00,72,00, 65,00,72,00,5c,00,69,00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,2e,00,65,00,78,00,65,00,22,00,00,0 0 /E : value set successfully! ========== COMMANDS ========== HOSTS file reset successfully [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Joseph Gan ->Temp folder emptied: 2142958958 bytes ->Temporary Internet Files folder emptied: 35545245 bytes ->Java cache emptied: 59908 bytes ->FireFox cache emptied: 90218793 bytes ->Google Chrome cache emptied: 0 bytes User: LocalService ->Temp folder emptied: 66016 bytes ->Temporary Internet Files folder emptied: 32969 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2162283 bytes %systemroot%\System32 .tmp files removed: 2577 bytes Windows Temp folder emptied: 533121 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10927190 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 897004 bytes Total Files Cleaned = 2,178.00 mb OTL by OldTimer - Version 3.1.21.1 log created on 01102010_172415 Files\Folders moved on Reboot... File\Folder C:\WINDOWS\temp\Perflib_Perfdata_238.dat not found! Registry entries deleted on Reboot... GMER LOG GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-10 09:32:05 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdypow.sys ---- System - GMER 1.0.15 ---- SSDT spos.sys ZwCreateKey [0xF74D70E0] SSDT spos.sys ZwEnumerateKey [0xF74F5CA2] SSDT spos.sys ZwEnumerateValueKey [0xF74F6030] SSDT spos.sys ZwOpenKey [0xF74D70C0] SSDT spos.sys ZwQueryKey [0xF74F6108] SSDT spos.sys ZwQueryValueKey [0xF74F5F88] SSDT spos.sys ZwSetValueKey [0xF74F619A] INT 0x63 ? 8A79EBF8 INT 0x63 ? 8A79EBF8 INT 0x63 ? 8A79EBF8 INT 0x63 ? 8A79EBF8 INT 0x63 ? 8A672BF8 INT 0x63 ? 8A672BF8 INT 0x63 ? 8A79EBF8 INT 0x83 ? 8A79EBF8 INT 0x83 ? 8A79EBF8 INT 0x83 ? 8A672BF8 INT 0x83 ? 8A79EBF8 INT 0x94 ? 8A672BF8 INT 0xA4 ? 8A672BF8 INT 0xB4 ? 8A672BF8 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A79D1F8 Device \Driver\usbuhci \Device\USBPDO-0 8A6711F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A80E1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A80E1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A80E1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A80E1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A6711F8 Device \Driver\usbehci \Device\USBPDO-2 8A64F1F8 Device \Driver\usbuhci \Device\USBPDO-3 8A6711F8 Device \Driver\PCI_PNP4702 \Device\00000060 spos.sys Device \Driver\PCI_PNP4702 \Device\00000060 spos.sys Device \Driver\usbuhci \Device\USBPDO-4 8A6711F8 Device \Driver\usbehci \Device\USBPDO-5 8A64F1F8 Device \Driver\usbuhci \Device\USBPDO-6 8A6711F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A79F1F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis) Device \Driver\usbuhci \Device\USBPDO-7 8A6711F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A79F1F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) Device \Driver\Cdrom \Device\CdRom0 8A6141F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A79F1F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) Device \Driver\Cdrom \Device\CdRom1 8A6141F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom2 8A6141F8 Device \Driver\sptd \Device\1367988452 spos.sys Device \Driver\usbuhci \Device\USBFDO-0 8A6711F8 Device \Driver\usbuhci \Device\USBFDO-1 8A6711F8 Device \Driver\usbuhci \Device\USBFDO-2 8A6711F8 Device \Driver\usbehci \Device\USBFDO-3 8A64F1F8 Device \Driver\usbuhci \Device\USBFDO-4 8A6711F8 Device \Driver\Ftdisk \Device\FtControl 8A79F1F8 Device \Driver\usbuhci \Device\USBFDO-5 8A6711F8 Device \Driver\usbuhci \Device\USBFDO-6 8A6711F8 Device \Driver\usbehci \Device\USBFDO-7 8A64F1F8 Device \Driver\a6k0hg0d \Device\Scsi\a6k0hg0d1Port6Path0Target0Lun0 8A6101F8 Device \Driver\a6k0hg0d \Device\Scsi\a6k0hg0d1 8A6101F8 Device \Driver\a6k0hg0d \Device\Scsi\a6k0hg0d1Port6Path0Target1Lun0 8A6101F8 Device \FileSystem\Cdfs \Cdfs 8A4A21F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xDB 0x43 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7F 0xBF 0xCA 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x01 0x4E 0x06 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x35 0xD5 0x37 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0x8D 0xBB 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x75 0xBA 0x83 0xF1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAF 0x11 0xFD 0x90 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBE 0x18 0xD7 0x06 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x87 0xC8 0xD2 0x92 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xBB 0x8D 0xBB 0x32 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0x8D 0xBB 0x32 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x75 0xBA 0x83 0xF1 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xDB 0x43 0x0A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7F 0xBF 0xCA 0x4A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x01 0x4E 0x06 0x33 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x35 0xD5 0x37 0x9B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0x8D 0xBB 0x32 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x75 0xBA 0x83 0xF1 ... ---- EOF - GMER 1.0.15 ---- OTL LOG OTL logfile created on: 1/10/2010 5:35:29 PM - Run 3 OTL by OldTimer - Version 3.1.21.1 Folder = C:\Documents and Settings\Joseph Gan\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 2.00 Gb Total Physical Memory \| 1.00 Gb Available Physical Memory \| 56.00% Memory free 4.00 Gb Paging File \| 3.00 Gb Available in Paging File \| 80.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 2046 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 123.95 Gb Total Space \| 23.04 Gb Free Space \| 18.59% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded Drive E: \| 281.11 Gb Total Space \| 17.16 Gb Free Space \| 6.10% Space Free \| Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded Drive H: \| 60.70 Gb Total Space \| 27.47 Gb Free Space \| 45.25% Space Free \| Partition Type: NTFS I: Drive not present or media not loaded Computer Name: JOSEPH Current User Name: Joseph Gan Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/01/08 16:45:18 \| 00,908,248 \| ---- \| M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/01/08 11:36:11 \| 00,514,048 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Joseph Gan\Desktop\OTL.exe PRC - [2009/11/08 20:17:06 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2009/10/09 13:11:12 \| 25,623,336 \| R--- \| M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe PRC - [2009/10/09 13:11:12 \| 00,078,008 \| R--- \| M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe PRC - [2009/08/06 00:00:00 \| 05,497,856 \| ---- \| M] () -- C:\Program Files\xampp\mysql\bin\mysqld.exe PRC - [2009/08/06 00:00:00 \| 00,024,640 \| ---- \| M] (Apache Software Foundation) -- C:\Program Files\xampp\apache\bin\httpd.exe PRC - [2008/12/12 11:17:38 \| 00,238,888 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe PRC - [2008/09/18 23:12:00 \| 00,113,200 \| ---- \| M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe PRC - [2008/09/18 23:11:36 \| 00,326,192 \| ---- \| M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe PRC - [2008/09/18 23:11:04 \| 00,399,920 \| ---- \| M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe PRC - [2008/07/10 09:47:18 \| 00,116,040 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2008/06/10 18:53:54 \| 00,468,224 \| ---- \| M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2008/06/10 18:52:30 \| 01,447,168 \| ---- \| M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2008/04/28 04:48:55 \| 00,066,872 \| ---- \| M] () -- C:\WINDOWS\system32\PnkBstrA.exe PRC - [2008/04/14 08:12:19 \| 01,033,728 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/12/05 01:41:00 \| 00,155,716 \| ---- \| M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe PRC - [2007/09/07 15:54:54 \| 00,159,744 \| ---- \| M] () -- C:\Program Files\Razer\DeathAdder\razerhid.exe PRC - [2007/05/07 15:35:14 \| 00,163,840 \| ---- \| M] (Razer Inc.) -- C:\Program Files\Razer\DeathAdder\razerofa.exe PRC - [2007/04/30 19:43:54 \| 03,450,608 \| ---- \| M] (Stardock) -- C:\Program Files\Stardock\ObjectDock\ObjectDock.exe PRC - [2006/11/24 15:24:16 \| 00,143,360 \| ---- \| M] () -- C:\Program Files\Razer\DeathAdder\razertra.exe PRC - [2006/10/16 21:13:28 \| 00,230,944 \| ---- \| M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe ========== Modules (SafeList) ========== MOD - [2010/01/08 11:36:11 \| 00,514,048 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Joseph Gan\Desktop\OTL.exe MOD - [2007/04/30 19:18:50 \| 00,112,400 \| ---- \| M] () -- C:\Program Files\Stardock\ObjectDock\DockShellHook.dll ========== Win32 Services (SafeList) ========== SRV - [2009/12/24 23:52:03 \| 02,431,024 \| ---- \| M] () [Auto \| Running] -- C:/Program Files/Common Files/Akamai/rswin_3629.dll -- (Akamai) SRV - [2009/11/08 20:17:06 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) [Auto \| Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2009/10/08 11:31:00 \| 03,319,892 \| ---- \| M] (INCA Internet Co., Ltd.) [On_Demand \| Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc) SRV - [2009/09/23 16:37:30 \| 00,051,168 \| ---- \| M] (NOS Microsystems Ltd.) [On_Demand \| Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus® SRV - [2009/08/24 05:00:06 \| 00,136,120 \| ---- \| M] (Google) [On_Demand \| Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc) SRV - [2009/08/06 00:00:00 \| 05,497,856 \| ---- \| M] () [Auto \| Running] -- C:\Program Files\xampp\mysql\bin\mysqld.exe -- (MySQL) SRV - [2009/08/06 00:00:00 \| 00,024,640 \| ---- \| M] (Apache Software Foundation) [Auto \| Running] -- C:\Program Files\xampp\apache\bin\httpd.exe -- (Apache2.2) SRV - [2009/01/25 16:35:44 \| 00,133,104 \| ---- \| M] (Google Inc.) [Auto \| Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c97ec7ea7c4858) Google Update Service (gupdate1c97ec7ea7c4858) SRV - [2008/12/12 11:17:38 \| 00,238,888 \| ---- \| M] (Apple Inc.) [Auto \| Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2008/11/11 09:38:06 \| 00,620,544 \| ---- \| M] (Nokia.) [On_Demand \| Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2008/11/04 01:06:28 \| 00,441,712 \| ---- \| M] (Microsoft Corporation) [On_Demand \| Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2008/09/18 23:12:00 \| 00,113,200 \| ---- \| M] (VMware, Inc.) [Auto \| Running] -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService) SRV - [2008/09/18 23:11:36 \| 00,326,192 \| ---- \| M] (VMware, Inc.) [Auto \| Running] -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP) SRV - [2008/09/18 23:11:04 \| 00,399,920 \| ---- \| M] (VMware, Inc.) [Auto \| Running] -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service) SRV - [2008/08/25 21:56:44 \| 00,191,024 \| ---- \| M] (VMware, Inc.) [On_Demand \| Stopped] -- C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60) SRV - [2008/07/10 09:47:18 \| 00,116,040 \| ---- \| M] (Apple Inc.) [Auto \| Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2008/06/10 18:59:18 \| 00,019,200 \| ---- \| M] (ESET) [On_Demand \| Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2008/06/10 18:53:54 \| 00,468,224 \| ---- \| M] (ESET) [Auto \| Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2008/04/28 04:48:55 \| 00,066,872 \| ---- \| M] () [Auto \| Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA) SRV - [2008/04/07 04:14:06 \| 00,654,848 \| ---- \| M] (Macrovision Europe Ltd.) [On_Demand \| Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2007/12/05 01:41:00 \| 00,155,716 \| ---- \| M] (NVIDIA Corporation) [Auto \| Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc) SRV - [2007/03/20 16:41:24 \| 00,153,792 \| ---- \| M] (Adobe Systems Incorporated) [On_Demand \| Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3) SRV - [2006/10/26 14:03:08 \| 00,145,184 \| ---- \| M] (Microsoft Corporation) [On_Demand \| Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose) SRV - [2006/10/16 21:13:28 \| 00,230,944 \| ---- \| M] (Acronis) [Auto \| Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc) SRV - [2006/08/03 10:43:28 \| 00,368,640 \| ---- \| M] () [Auto \| Stopped] -- C:\WINDOWS\System32\mqtljk.exe -- (System SSL Messenger) SRV - [2006/08/03 10:43:28 \| 00,368,640 \| ---- \| M] () [Auto \| Stopped] -- C:\WINDOWS\System32\mqtljk.exe -- (Application ClipBook) SRV - [2001/08/23 20:00:00 \| 00,003,584 \| ---- \| M] (Microsoft Corporation) [Auto \| Stopped] -- C:\WINDOWS\System32\regedt32.exe -- (NOD32FiXTemDono) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.go2000.cn/?2 IE - HKU\S-1-5-21-796845957-1390067357-839522115-1003\S-1-5-21-796845957-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-796845957-1390067357-839522115-1003\S-1-5-21-796845957-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = .local ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Ask" FF - prefs.js..browser.search.defaultthis.engineName: "OnRPG Customized Web Search" FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2090540&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.order.1: "Ask" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.google.com" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3 FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.10 FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19 FF - prefs.js..extensions.enabledItems: checkplaces@andyhalford.com:1.6.4 FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.11.6 FF - prefs.js..extensions.enabledItems: {D9808C4D-1CF5-4f67-8DB2-12CF78BBA23F}:2.5.8 FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.5 FF - prefs.js..extensions.enabledItems: {89506680-e3f4-484c-a2c0-ed711d481eda}:0.9.5.1 FF - prefs.js..extensions.enabledItems: fdm_ffext@freedownloadmanager.org:1.3.4 FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.33.0 FF - prefs.js..extensions.enabledItems: {cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}:0.4 FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20091209.4 FF - prefs.js..extensions.enabledItems: guiconfig@slosd.net:0.4.4 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: lazarus@interclue.com:2.0.5 FF - prefs.js..extensions.enabledItems: {B17C1C5A-04B1-11DB-9804-B622A1EF5492}:1.2 FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.0.3 FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.3.20091214_AMO FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2 FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2090540&SearchSource=2&q=" FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/01/19 13:36:11 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/11/04 08:43:43 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/08 16:45:30 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/08 16:45:30 \| 00,000,000 \| ---D \| M] [2008/07/01 04:58:40 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Extensions [2010/01/10 09:47:59 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions [2009/03/22 04:53:57 \| 00,000,000 \| ---D \| M] (All-in-One Sidebar) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d} [2009/05/31 07:06:41 \| 00,000,000 \| ---D \| M] (No name found) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c} [2009/09/29 03:40:14 \| 00,000,000 \| ---D \| M] (Firefox Showcase) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda} [2009/08/05 13:21:50 \| 00,000,000 \| ---D \| M] (Password Exporter) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492} [2008/04/08 03:40:26 \| 00,000,000 \| ---D \| M] (Fasterfox) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{c36177c0-224a-11da-8cd6-0800200c9a66} [2009/11/20 23:16:48 \| 00,000,000 \| ---D \| M] (Google Redesigned) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{cc85cd4e-5a5b-4eda-a25c-bdaffa93b406} [2010/01/08 11:33:58 \| 00,000,000 \| ---D \| M] (Adblock Plus) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2008/12/24 11:12:02 \| 00,000,000 \| ---D \| M] (Download Sort) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{D9808C4D-1CF5-4f67-8DB2-12CF78BBA23F} [2009/10/17 02:11:11 \| 00,000,000 \| ---D \| M] (No name found) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{dc572301-7619-498c-a57d-39143191b318} [2010/01/01 20:21:33 \| 00,000,000 \| ---D \| M] (Greasemonkey) -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2010/01/01 20:21:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\checkplaces@andyhalford.com [2009/11/20 23:15:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\en-GB@dictionaries.addons.mozilla.org [2009/11/08 20:32:10 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\firebug@software.joehewitt.com [2009/04/26 18:07:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\guiconfig@slosd.net [2010/01/01 20:21:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\isreaditlater@ideashower.com [2010/01/01 20:21:37 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\lazarus@interclue.com [2010/01/08 11:34:02 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\piclens@cooliris.com [2009/11/24 15:20:13 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\searchrecs@veoh.com [2010/01/01 20:21:36 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\SkipScreen@SkipScreen [2009/03/08 15:50:49 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\smartbookmarksbar@remy.juteau [2008/04/07 05:01:34 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\extensions\snaplinks@snaplinks.net [2010/01/10 09:47:59 \| 00,000,000 \| ---D \| M] -- C:\Program Files\Mozilla Firefox\extensions [2008/11/28 21:26:54 \| 00,056,576 \| ---- \| M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll [2009/06/19 12:05:54 \| 00,239,432 \| ---- \| M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll O1 HOSTS File: (133 bytes) - C:\WINDOWS\system32\drivers\etc\Hosts O1 - Hosts: റഊഊ㈊㠱ㄮ㈮⸵‱†††汤㌮〶慳敦挮浯਍ㄲ⸸⸱㔲ㄮ†††戠獢㌮〶慳敦挮浯਍ㄲ⸸⸱㔲ㄮ†††搠⹬㘳⸰湣਍ㄲ⸸⸱㔲ㄮ†††戠獢㌮〶挮൮ O1 - Hosts: 1/08 16:45:25 \| 00,002,344 \| ---- \| M] () O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation) O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll () O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (Easy Read) - {235A3ACD-EBE5-46b2-9BAE-B1960F9DC791} - C:\Program Files\eREAD\eREAD\EasyRead.dll () O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (AddTask Class) - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll () O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll () O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll () O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation) O3 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe () O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKU\.DEFAULT..\Run: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe File not found O4 - HKU\S-1-5-18..\Run: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe File not found O4 - HKU\S-1-5-21-796845957-1390067357-839522115-1003..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.) O4 - Startup: C:\Documents and Settings\Joseph Gan\Start Menu\Programs\Startup\Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (Stardock) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0 O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-796845957-1390067357-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.) O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm () O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm () O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm () O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm () O8 - Extra context menu item: Open with &LoadScout... - C:\Program Files\SoftLogica\LoadScout 3.0\LoadScout.exe () O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.) O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.) O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-21-796845957-1390067357-839522115-1003\..Trusted Ranges: Range37 ([http] in Local intranet) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} http://u3.sandisk.com/download/apps/LPInstaller.CAB (CInstallLPCtrl Object) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 218.186.1.58 202.156.1.58 218.186.1.88 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll () O22 - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - C:\Program Files\Stardock\Fences\FencesMenu.dll (Stardock) O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010/01/08 20:04:30 \| 00,000,050 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{9cabd8ef-1812-11dd-9248-005056c00008}\Shell - "" = AutoRun O33 - MountPoints2\{9cabd8ef-1812-11dd-9248-005056c00008}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{9cabd8ef-1812-11dd-9248-005056c00008}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found O33 - MountPoints2\{9cabd8f0-1812-11dd-9248-005056c00008}\Shell\AutoRun\command - "" = K:\StartPortableApps.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk ) - File not found O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* ========== Files/Folders - Created Within 14 Days ========== [2010/01/10 17:26:07 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\VMware [2010/01/10 17:24:15 \| 00,000,000 \| ---D \| C] -- C:\_OTL [2010/01/08 20:07:33 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\My Documents\My muvees [2010/01/08 19:46:10 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Common Files\muvee Technologies [2010/01/08 17:13:43 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies [2010/01/08 17:13:36 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\Application Data\muvee Technologies [2010/01/08 17:12:56 \| 00,000,000 \| ---D \| C] -- C:\Program Files\muvee Technologies [2010/01/08 17:09:46 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\Desktop\Wedding Montage [2010/01/08 16:43:24 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\My Documents\Version Cue [2010/01/08 16:43:23 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\My Documents\AdobeStockPhotos [2010/01/08 16:40:53 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\My Documents\Adobe [2010/01/08 11:35:59 \| 00,514,048 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Joseph Gan\Desktop\OTL.exe [2010/01/07 18:23:32 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Joseph Gan\Desktop\BlackShot [2009/12/30 23:10:40 \| 26,122,200 \| ---- \| C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Joseph Gan\Desktop\cureit.exe [2009/12/30 21:50:20 \| 00,161,296 \| ---- \| C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys [2009/10/16 13:25:45 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2009/07/22 04:21:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/02/06 08:40:04 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google [2008/12/24 16:19:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2008/10/05 21:54:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET [2008/08/07 11:15:00 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple [2008/04/06 23:23:55 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2008/04/06 23:23:55 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft ========== Files - Modified Within 14 Days ========== [2010/01/10 17:35:05 \| 19,398,656 \| ---- \| M] () -- C:\Documents and Settings\Joseph Gan\ntuser.dat [2010/01/10 17:30:06 \| 00,000,432 \| -H-- \| M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{83215FAD-3CAC-4E3E-9EC2-433D638B8644}.job [2010/01/10 17:26:05 \| 00,503,950 \| ---- \| M] () -- C:\WINDOWS\System32\jautdeij.dat [2010/01/10 17:26:05 \| 00,000,133 \| R--- \| M] () -- C:\WINDOWS\System32\drivers\etc\Hosts [2010/01/10 17:25:42 \| 00,000,882 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010/01/10 17:25:39 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2010/01/10 17:25:38 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2010/01/10 17:24:48 \| 00,000,178 \| -HS- \| M] () -- C:\Documents and Settings\Joseph Gan\ntuser.ini [2010/01/10 17:13:00 \| 00,000,998 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1390067357-839522115-1003UA.job [2010/01/10 16:43:00 \| 00,000,886 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010/01/10 13:49:28 \| 00,003,162 \| ---- \| M] () -- C:\Documents and Settings\Joseph Gan\funshion.ini [2010/01/09 18:13:00 \| 00,000,946 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1390067357-839522115-1003Core.job [2010/01/09 16:43:50 \| 00,259,684 \| -H-- \| M] () -- C:\Documents and Settings\Joseph Gan\Local Settings\Application Data\IconCache.db [2010/01/08 22:17:29 \| 00,037,888 \| ---- \| M] () -- C:\Documents and Settings\Joseph Gan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/01/08 20:06:35 \| 00,055,808 \| ---- \| M] () -- C:\Documents and Settings\Joseph Gan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/01/08 20:06:22 \| 01,553,816 \| ---- \| M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/01/08 20:04:30 \| 00,000,050 \| ---- \| M] () -- C:\AUTOEXEC.BAT [2010/01/08 19:46:55 \| 00,001,968 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Create instant home movies.lnk [2010/01/08 15:17:42 \| 28,216,631 \| ---- \| M] () -- C:\Documents and Settings\Joseph Gan\Desktop\271.rar [2010/01/08 11:36:11 \| 00,514,048 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Joseph Gan\Desktop\OTL.exe [2010/01/07 16:07:14 \| 00,038,224 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/01/07 16:07:04 \| 00,019,160 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/01/06 20:53:33 \| 00,002,228 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2010/01/04 22:18:45 \| 00,000,558 \| ---- \| M] () -- C:\WINDOWS\DFC.INI [2010/01/01 17:50:02 \| 05,292,054 \| ---- \| M] () -- C:\Documents and Settings\Joseph Gan\Desktop\untitled.bmp [2009/12/31 10:58:44 \| 00,370,836 \| R--- \| M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100108-121828.backup [2009/12/30 23:10:41 \| 26,122,200 \| ---- \| M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Joseph Gan\Desktop\cureit.exe [2009/12/30 21:50:20 \| 00,161,296 \| ---- \| M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys ========== Files Created - No Company Name ========== [2010/01/08 19:46:55 \| 00,001,968 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Create instant home movies.lnk [2010/01/08 19:33:32 \| 06,354,008 \| ---- \| C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2010/01/08 15:10:25 \| 28,216,631 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Desktop\271.rar [2010/01/07 22:49:58 \| 00,293,376 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Desktop\gmer.exe [2010/01/01 17:50:01 \| 05,292,054 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Desktop\untitled.bmp [2009/12/21 17:40:08 \| 00,503,844 \| ---- \| C] () -- C:\WINDOWS\System32\syskbds.drv [2009/11/08 19:54:07 \| 00,178,176 \| ---- \| C] () -- C:\WINDOWS\System32\unrar.dll [2009/11/08 19:54:06 \| 00,000,038 \| ---- \| C] () -- C:\WINDOWS\avisplitter.ini [2009/11/08 19:54:02 \| 00,881,664 \| ---- \| C] () -- C:\WINDOWS\System32\xvidcore.dll [2009/11/08 19:54:02 \| 00,205,824 \| ---- \| C] () -- C:\WINDOWS\System32\xvidvfw.dll [2009/11/08 19:53:59 \| 00,085,504 \| ---- \| C] () -- C:\WINDOWS\System32\ff_vfw.dll [2009/11/08 19:53:59 \| 00,000,547 \| ---- \| C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest [2009/11/03 12:14:20 \| 00,001,140 \| ---- \| C] () -- C:\WINDOWS\System32\funshion.ini [2009/06/26 20:21:26 \| 00,000,122 \| ---- \| C] () -- C:\WINDOWS\_vmtxp.ini [2009/01/19 15:11:16 \| 01,155,378 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Application Data\NMM-MetaData.db [2009/01/17 18:52:10 \| 00,247,560 \| ---- \| C] () -- C:\WINDOWS\System32\prgiso.dll [2009/01/17 18:52:09 \| 04,244,744 \| ---- \| C] () -- C:\WINDOWS\System32\qtp-mt334.dll [2009/01/17 18:52:09 \| 00,013,576 \| ---- \| C] () -- C:\WINDOWS\System32\wnaspi32.dll [2008/12/26 10:32:24 \| 00,055,856 \| R--- \| C] () -- C:\WINDOWS\System32\vnetinst.dll [2008/10/26 16:45:05 \| 01,470,464 \| ---- \| C] () -- C:\WINDOWS\System32\libmySQL.dll [2008/10/26 16:45:05 \| 00,916,849 \| ---- \| C] () -- C:\WINDOWS\System32\libiconv-2.dll [2008/10/26 16:45:05 \| 00,186,822 \| ---- \| C] () -- C:\WINDOWS\System32\libpq.dll [2008/10/26 16:45:05 \| 00,051,016 \| ---- \| C] () -- C:\WINDOWS\System32\libintl-2.dll [2008/10/26 13:47:26 \| 00,000,600 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Local Settings\Application Data\PUTTY.RND [2008/09/05 23:30:42 \| 00,190,976 \| ---- \| C] () -- C:\WINDOWS\System32\WgaLogon.dll [2008/09/05 23:30:06 \| 01,481,728 \| ---- \| C] () -- C:\WINDOWS\System32\LegitCheckControl.dll [2008/06/10 18:56:10 \| 00,034,312 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys [2008/05/15 00:14:59 \| 00,000,754 \| ---- \| C] () -- C:\WINDOWS\WORDPAD.INI [2008/04/28 14:22:21 \| 00,000,133 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Local Settings\Application Data\fusioncache.dat [2008/04/28 04:49:22 \| 00,022,328 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys [2008/04/28 04:49:22 \| 00,022,328 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Application Data\PnkBstrK.sys [2008/04/23 05:29:56 \| 00,003,972 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\PciBus.sys [2008/04/23 01:46:52 \| 00,040,928 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\VBoxDrv.sys [2008/04/22 19:08:30 \| 00,215,144 \| ---- \| C] () -- C:\WINDOWS\patchw32.dll [2008/04/07 21:38:23 \| 00,037,888 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008/04/07 20:10:58 \| 00,000,440 \| ---- \| C] () -- C:\Documents and Settings\Joseph Gan\Application Data\SamsungLiveUpdateConfig.ini [2008/04/07 04:22:00 \| 02,463,976 \| ---- \| C] () -- C:\WINDOWS\System32\NPSWF32.dll [2008/04/07 01:52:43 \| 00,717,296 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2008/04/07 01:31:20 \| 00,000,162 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2008/04/07 01:01:37 \| 00,034,308 \| ---- \| C] () -- C:\WINDOWS\System32\BASSMOD.dll [2008/04/06 23:44:05 \| 00,000,558 \| ---- \| C] () -- C:\WINDOWS\DFC.INI [2008/04/06 23:40:49 \| 00,046,080 \| R--- \| C] () -- C:\WINDOWS\System32\itevio.dll [2007/12/05 01:41:00 \| 01,703,936 \| ---- \| C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2007/12/05 01:41:00 \| 01,474,560 \| ---- \| C] () -- C:\WINDOWS\System32\nview.dll [2007/12/05 01:41:00 \| 01,019,904 \| ---- \| C] () -- C:\WINDOWS\System32\nvwimg.dll [2007/12/05 01:41:00 \| 00,466,944 \| ---- \| C] () -- C:\WINDOWS\System32\nvshell.dll [2007/12/05 01:41:00 \| 00,286,720 \| ---- \| C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2007/09/08 02:40:22 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2007/09/08 02:40:22 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2007/09/07 02:01:52 \| 00,012,288 \| ---- \| C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2007/07/23 09:03:32 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll [2007/07/23 09:03:32 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll [2007/07/23 09:03:32 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll [2007/07/23 09:03:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll [2007/07/23 09:03:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll [2007/07/23 09:03:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll [2007/07/23 09:03:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll [2007/07/23 09:03:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll [2007/07/23 09:03:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll [2007/03/29 22:00:40 \| 00,203,264 \| ---- \| C] () -- C:\WINDOWS\System32\CddbCdda.dll [1996/04/04 03:33:26 \| 00,005,248 \| ---- \| C] () -- C:\WINDOWS\System32\giveio.sys ========== LOP Check ========== [2010/01/08 15:23:35 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Administrator\Application Data\Stardock [2008/04/07 20:41:42 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Acronis [2008/10/27 15:58:42 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\CodeGear [2008/09/11 03:12:47 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\ESET [2008/04/07 06:11:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG [2009/04/10 12:10:12 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\FruitfulTime [2009/01/19 13:34:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Installations [2008/12/18 19:45:32 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus! [2010/01/08 20:03:12 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies [2008/09/25 18:09:34 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\NexonUS [2009/01/19 13:41:41 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\PC Suite [2008/10/30 13:33:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst [2009/06/19 12:08:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\PMB Files [2009/09/03 01:11:55 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Stardock [2008/12/24 16:53:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\TechSmith [2010/01/09 21:35:13 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2008/04/07 01:03:16 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\WinZip [2009/09/03 01:12:00 \| 00,000,000 \| -H-D \| M] -- C:\Documents and Settings\All Users\Application Data\{62902F53-D725-44F9-B385-979CC0E00E8A} [2009/11/08 18:39:25 \| 00,000,000 \| -H-D \| M] -- C:\Documents and Settings\All Users\Application Data\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B} [2009/05/12 14:40:29 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Acronis [2009/03/19 19:36:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\calibre [2008/10/26 16:59:20 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\CodeGear [2008/04/07 01:52:40 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\DAEMON Tools [2009/12/04 19:02:31 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\DTC [2008/11/28 21:27:05 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Foxit [2010/01/08 22:28:15 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Free Download Manager [2008/04/07 01:00:46 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\GlobalSCAPE [2008/08/31 16:42:05 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\ImgBurn [2009/06/11 17:05:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\IObit [2009/05/29 13:58:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\LG Electronics [2009/10/20 15:22:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\LimeWire [2009/01/19 01:25:20 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\LoadScout [2008/09/27 03:32:16 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\MiniLyrics [2010/01/08 20:09:45 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\muvee Technologies [2009/04/12 14:03:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Nokia [2009/01/19 13:41:50 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\PC Suite [2008/10/30 13:33:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\PlayFirst [2008/11/01 16:39:16 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Quick Search And Replace [2008/10/09 11:45:32 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\SEGA [2009/11/08 18:30:56 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\Stardock [2008/04/14 18:52:53 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\TeamViewer [2009/12/30 12:10:21 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Joseph Gan\Application Data\uTorrent [2009/11/29 22:12:12 \| 00,000,394 \| ---- \| M] () -- C:\WINDOWS\Tasks\SmartDefrag.job [2010/01/10 17:30:06 \| 00,000,432 \| -H-- \| M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{83215FAD-3CAC-4E3E-9EC2-433D638B8644}.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 498 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF @Alternate Data Stream - 155 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7F4E393D @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84B9E490 @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 < End of report >

sundavis View Member Profile	Jan 10 2010, 05:34 AM Post #8
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370	Hi Nikas, Did you delete the fake icon on your desktop and quick launch toolbar? Are you aware of the contents of the following folder? If not, pleae delete that folder manually. C:\program files\jlingk Step1 If you already have Combofix, please delete that copy and download it again as it's being updated regularly. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix. Click Yes to allow Combofix to continue scanning for malware. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply. Do not mouse click on Combofix while it is running. That may cause it to stall. Step2 Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt You can refer to this tutorial Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. Step3 Please start OTL on your desktop. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box. CODE :OTL PRC - C:\Windows\Explorer.EXE (Microsoft Corporation) IE - HKU\S-1-5-21-796845957-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.go2000.cn/?2 O1 - Hosts: റഊഊ㈊㠱ㄮ㈮⸵‱†††汤㌮〶慳敦挮浯਍ㄲ⸸⸱㔲ㄮ†††戠獢㌮〶慳敦挮浯਍ㄲ⸸⸱㔲ㄮ†††搠⹬㘳⸰湣਍ㄲ⸸⸱㔲ㄮ†††戠獢㌮〶挮൮ O1 - Hosts: 1/08 16:45:25 \| 00,002,344 \| ---- \| M] () O4 - HKU\.DEFAULT..\Run: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe File not found O4 - HKU\S-1-5-18..\Run: [×ÀÃæÃÀ»¯Ðã] c:\program files\jlingk\deskmate.exe File not found :Commands [resethosts] [emptytemp] [start explorer] [Reboot] Click Run Fix button on the top. Click OK and let it run unhindered. OTL will ask to reboot the machine. Please OK the prompt. A report will open. Copy and Paste that report in your next reply. After that, please rerun SystemLook as instructed in my previous post of #2 and post the contents in your next reply. In your next reply, please post back: 1.ComboFix log 2.MBAM log 3.OTL delete log 4.SystemLook log Let me know if any remaining issues still present.

sundavis View Member Profile	Jan 10 2010, 10:38 AM Post #10
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370	Hi Nikas, Step1 Close any open browsers Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below: CODE File:: c:\documents and settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\pluginreg.dat.bak 14244 bytes c:\documents and settings\Joseph Gan\Application Data\Mozilla\Firefox\Profiles\f3gvtnnj.default\user.js.BAK 76 bytes C:\WINDOWS\system32\drivers\etc\Hosts C:\WINDOWS\System32\drivers\etc\hosts.20100108-121828.backup DDS:: uStart Page = hxxp://www.go2000.cn/?2 uInternet Settings,ProxyOverride = .local Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command] @=hex(2):22,00,25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,66,00,69,00,6c,\ 00,65,00,73,00,25,00,5c,00,69,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,\ 20,00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,69,00,65,00,78,\ 00,70,00,6c,00,6f,00,72,00,65,00,2e,00,65,00,78,00,65,00,22,00,00,00 [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage] @="Open &Home Page" "MUIVerb"="@shdoclc.dll,-10241" "LegacyDisable"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage] @="Open &Home Page" "MUIVerb"="@shdoclc.dll,-10241" "LegacyDisable"="" Save this as CFScript.txt* and change the "Save as type" to "All Files" and place it on your desktop Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Step2 Please go to Here and Download System Repair Engine by smallfrogs Extract it to Desktop & double click SREngLdr.exe to run it Click System Repair in the left pane. Click on Hosts File tap Press reset button, and click Yes to the prompt window. Click save button in the right bottom corner. Exit the program and restart it Select 'Smart Scan' & tick "Verify the digital signatures of process modules" Click on the Scan button. When finished, click on the Save Reports button & save the log to Desktop You can refer to this thread for your reference. After that, please rerun SystemLook as instructed in my previous post of #2 and post the content in your next reply. In your next reply, please post back: 1.ComboFix log 2.Sreng log 3.SystemLook log Tell me how things are going now.

sundavis View Member Profile	Jan 10 2010, 12:06 PM Post #12
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370	Hi Nikas, QUOTE I have disabled my AV and then COMBOFIX detected a CD Emulator/Emulation and restarted on its own That is normal. CD Emulator may be acting as a false positive. CF will temporarily close it. After reboot, your desktop should be empty and AV should be closed as well. Step1 Go to Start>Run>type regedit>and hit Enter. Navigate to and expand the following entries and right click it delete the following bold data which added http://www.go2000.c/?2. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command @=""C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.cn/?2" Close regedit, and reboot your pc. Step2 Open HiJackThis Click on the button " Open the Misc Tools section" Click on the Box that says "Open hosts File Manager" Click on the button "Open in Notepad" Copy and past the List from the notepad file into your post If it's a large file, save it somewhere you can find it, and attach it in your next reply. If can't find any Hosts file there, please do the following: Please download HostsXpert to your desktop Unzip HostsXpert to it's own folder. Run HostsXpert.exe If HostsXpert alerts you, it can't find any Hosts file and need to creat a new one. Please consent. Click "Make Writable?" in the upper left corner. Click "Restore MS Hosts file" and then click OK. Close HostsXpert. After that, please rerun SystemLook and post the contents in your next reply. In your next reply, please post back: 1.SystemLook log 2.Hosts log Tell me if you have any remaining issues on your pc.

Nikas View Member Profile	Jan 10 2010, 09:16 PM Post #13
Distinguished Member Group: Members Posts: 648 Joined: 3-July 05 From: Singapore Member No.: 25,681	I will do it either on Tue or Thur. Thanks!

sundavis View Member Profile	Jan 10 2010, 09:17 PM Post #14
Forum Addict Group: Malware Response Team Posts: 2,056 Joined: 11-August 07 Member No.: 149,370

Nikas View Member Profile	Jan 14 2010, 09:41 AM Post #15
Distinguished Member Group: Members Posts: 648 Joined: 3-July 05 From: Singapore Member No.: 25,681	Hi sundavis, Sorry for the delay. I am unable to delete that entry. It says "Unable to delete all specified values". Below is the entries from the hosts. QUOTE 218.1.25.1 dl.360safe.com 218.1.25.1 bbs.360safe.com 218.1.25.1 dl.360.cn 218.1.25.1 bbs.360.cn Below is the SystemLook. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 22:39 on 14/01/2010 by Joseph Gan (Administrator - Elevation successful) ========== reg ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons] (No values found) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu] "{871C5380-42A0-1069-A2EA-08002B30309D}.default"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] "{208D2C60-3AEA-1069-A2D7-08002B30309D}"= 0x0000000001 (1) "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"= 0x0000000001 (1) "{450D8FBA-AD25-11D0-98A8-0800361B1103}"= 0x0000000001 (1) "{871C5380-42A0-1069-A2EA-08002B30309D}"="0x00000000 (0)" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace] (No values found) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}] @="Computer Search Results Folder" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}] "Removal Message"="@mydocs.dll,-900" @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}] @="Recycle Bin" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}] @="Search Results Folder" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] "@"="\"C:\Program Files\Internet Explorer\IEXPLORE.EXE\"" @=""C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.cn/?2" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}] "InfoTip"="@C:\WINDOWS\system32\ieframe.dll.mui,-881" "LocalizedString"="@C:\WINDOWS\system32\ieframe.dll.mui,-880" @="" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon] @="C:\WINDOWS\system32\ieframe.dll,-190" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32] "ThreadingModel"="Apartment" @="C:\WINDOWS\system32\ieframe.dll" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell] @="OpenHomePage" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns] "LegacyDisable"="" @="Start Without Add-ons" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command] @=""C:\Program Files\Internet Explorer\iexplore.exe" -extoff" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage] "@"="Open &Home Page" "LegacyDisable"="" "MUIVerb"="@shdoclc.dll,-10241" @="´ò¿ªÖ÷Ò³(&H)" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command] "@"=""%programfiles%\internet explorer\iexplore.exe"" @="C:\Program Files\Internet Explorer\iexplore.exe http://www.go2000.cn/?2" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex] (No values found) [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers] (No values found) [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe] @="{871C5380-42A0-1069-A2EA-08002B30309D}" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\MayChangeDefaultMenu] @="" [HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder] "Attributes"= 0x0000100024 (1048612) "HideAsDeletePerUser"="" "HideFolderVerbs"="" "HideOnDesktopPerUser"="" "WantsParseDisplayName"="" @="C:\WINDOWS\system32\ieframe.dll,-190" [HKEY_CLASSES_ROOT\http\shell\open\command] @=""C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"" -=End Of File=- The IE is still directed to go2000.cn. This post has been edited by Nikas: Jan 14 2010, 09:42 AM

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 29th July 2010 - 09:39 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides