Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avsystemcare


  • Please log in to reply
16 replies to this topic

#1 HK GIRL

HK GIRL

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 20 October 2007 - 10:16 PM

Thanks for your very detailed instruction and helped me found some free and useful anti-spyware. I have been infected by this avysystemcare spyware and windows of "Your pc has been infected.." was popping up all the times, I had clicked the webpage linked but never downloaded from it. My NOD antivirus detected there was a virus but could not cleaned it.

After very difficult search (lots "avysystem removal" on search engine was diverted to some strange sites), I found this forum and had followed your instructions and did a whole day scanning and cleaning of my computer, and now I think it is much well protected, but the Sygate firewall keep blocking some access to remote host while I open my computer. I post my hijack this log here and hope you can help and see whether the spyware is cleared or not.

Let me thank all of you again for your help and instructions :thumbsup: .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:40, on 21/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmeshk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmeshk.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://danchoy.dyndns.org/officescan/conso...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://danchoy.dyndns.org/officescan/conso...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://danchoy.dyndns.org/officescan/conso...stall/setup.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1192933127250
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://danchoy.dyndns.org/officescan/conso.../RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer = 218.102.32.208 205.252.144.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer = 218.102.32.208 205.252.144.126
O20 - AppInit_DLLs: sulimo.dat
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8226 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 21 October 2007 - 04:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum HK GIRL :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.


Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.
*IMPORTANT*
Do NOT run any other options until you are asked to do so!
*Note*
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes.
Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 24 October 2007 - 09:53 AM

Hello Richie,

Thanks for your instruction, but when I am trying to follow the steps to open the C:\SDFix folder and click RunThis.bat in safe mode, there is a black screen appeared, and the computer seems hanged, there is no message asking me to reboot the computer and I tried to press any keys but I cannot reboot. What's wrong with that? What should I do next?

And also, when I restart my computer after the previous scanning instructions, there is a message saying my C:\WINDOWS\system32\printer.exe is missing, should I remove my printer programmes and download it again?

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 24 October 2007 - 05:30 PM

should I remove my printer programmes and download it again?

No,printer.exe is malware,please post the contents of Combofix.txt,the Smitfraudfix report,and a new Hijackthis log.
Posted Image
Posted Image

#5 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 24 October 2007 - 11:19 PM

combofix.txt contents, sorry my window is a chinese version, if you need, I can translate some of the logs for you.

ComboFix 07-10-25.1 - Yvonne 2007-10-25 11:56:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.143 [GMT 8:00]
執行位置?: C:\Documents and Settings\Yvonne\桌面\ComboFix.exe
* 已建立新的還原點
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtr.dll

.
(((((((((((((((((((((((((((( 2007-09-25 - 2007-10-25 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-10-24 22:15 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-24 21:56 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-21 10:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 03:21 <DIR> d-------- C:\Program Files\Sygate
2007-10-21 03:21 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-10-21 03:21 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-10-21 03:21 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-10-21 03:21 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-10-21 03:21 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-10-21 03:21 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-10-21 03:21 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-10-21 01:51 1,953,799 --a------ C:\Program Files\stinger.exe
2007-10-20 23:11 <DIR> d-------- C:\Documents and Settings\Yvonne\.housecall6.6
2007-10-20 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 22:02 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2007-10-20 20:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-20 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-20 20:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-20 20:11 19,755,376 --a------ C:\Program Files\aaw2007.exe
2007-10-20 19:09 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-10-20 18:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 18:03 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-10 21:16 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 13:58 --------- d-----w C:\Program Files\Java
2007-10-21 04:06 --------- d-----w C:\Program Files\ICQLite
2007-10-21 03:30 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-20 19:17 17 ----a-w C:\Program Files\stinger.opt
2007-10-20 19:10 294 ----a-w C:\Program Files\stinger.txt
2007-08-28 05:46 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-08-22 12:56 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:56 651,264 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:56 611,328 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:56 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:56 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:56 473,088 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:56 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:56 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:56 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:56 3,085,824 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:56 250,880 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:56 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:56 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:56 150,016 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:56 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:56 1,497,600 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:56 1,049,088 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:56 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:16 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 18:25 142,696 ----a-w C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll
2007-07-30 11:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 11:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 11:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 11:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 11:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 11:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 11:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 11:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 11:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 11:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-04-30 03:29 12,154,800 ----a-w C:\Program Files\nentchst.exe
2007-04-12 11:31 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-04-12 11:29 482,512 ----a-w C:\Program Files\realarcade_skunk_stub.exe
2007-04-12 10:20 1,422,454 ----a-w C:\Program Files\Scribble.jar
2007-04-11 14:25 12,349,456 ----a-w C:\Program Files\GHScrabbleInstall-3783.exe
2007-04-11 13:06 365,897 ----a-w C:\Program Files\Scrabble.exe
2007-03-28 13:38 43,132,528 ----a-w C:\Program Files\TAV15.1_GM_Trial_32bit.exe
2007-03-17 15:47 699,177 ----a-w C:\Program Files\WordBiz18.exe
2007-03-03 12:48 36 ----a-w C:\Program Files\FEAD_error.log
2007-03-03 12:45 345,068,035 ----a-w C:\Program Files\Photoshop_CS2.exe
2006-03-02 15:08 21,254,280 ----a-w C:\Program Files\AdbeRdr707_en_US.exe
2006-03-02 15:06 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2006-03-02 15:06 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe
2006-02-18 13:27 363,560 ----a-w C:\Program Files\msgr75hk.exe
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-12 12:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-12 12:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-12 12:00]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"CaISSDT"="C:\Program Files\CA\CA Internet Security Suite\caissdt.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-05 22:31]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-12 12:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 12:00]


.
排程工作資料夾的內容
"2007-10-25 04:03:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 12:04:50
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-10-25 12:05:39 - machine was rebooted
.
--- E O F ---

#6 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 24 October 2007 - 11:28 PM

The SmitfraudFix report:

SmitFraudFix v2.241

Scan done at 12:22:31.04, 25/10/2007 Thu
Run from C:\Documents and Settings\Yvonne\桌面\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

遙遙遙遙遙遙遙遙遙遙遙遙 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

遙遙遙遙遙遙遙遙遙遙遙遙 hosts


遙遙遙遙遙遙遙遙遙遙遙遙 C:\


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\Web


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system32


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system32\LogFiles


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\Yvonne


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\Yvonne\Application Data


遙遙遙遙遙遙遙遙遙遙遙遙 Start Menu


遙遙遙遙遙遙遙遙遙遙遙遙


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Program Files


遙遙遙遙遙遙遙遙遙遙遙遙 Corrupted keys


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="目前的首頁"


遙遙遙遙遙遙遙遙遙遙遙遙 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


遙遙遙遙遙遙遙遙遙遙遙遙 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


遙遙遙遙遙遙遙遙遙遙遙遙 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


遙遙遙遙遙遙遙遙遙遙遙遙 Rustock



遙遙遙遙遙遙遙遙遙遙遙遙 DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 218.102.32.208
DNS Server Search Order: 205.252.144.126

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer=218.102.32.208 205.252.144.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer=218.102.32.208 205.252.144.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer=218.102.32.208 205.252.144.126


遙遙遙遙遙遙遙遙遙遙遙遙 Scanning for wininet.dll infection


遙遙遙遙遙遙遙遙遙遙遙遙 End

#7 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 24 October 2007 - 11:36 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:50, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\CA Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmeshk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmeshk.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://danchoy.dyndns.org/officescan/conso...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://danchoy.dyndns.org/officescan/conso...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://danchoy.dyndns.org/officescan/conso...stall/setup.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1192933127250
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://danchoy.dyndns.org/officescan/conso.../RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer = 218.102.32.208 205.252.144.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FAB39D7-91D1-4346-98FA-89E675AC8954}: NameServer = 218.102.32.208 205.252.144.126
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7580 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 25 October 2007 - 04:21 AM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#9 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 26 October 2007 - 02:28 AM

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.


Sorry, there is no "Select drives" options, so I cant proceed with the scanning.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 26 October 2007 - 04:57 AM

Sorry, there is no "Select drives" options, so I cant proceed with the scanning.


Run the following instead then please:
Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Then carry on with the Kaspersky WebScanner instructions.
Posted Image
Posted Image

#11 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 26 October 2007 - 10:30 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/27/2007 at 11:22 AM

Application Version : 3.9.1008

Core Rules Database Version : 3332
Trace Rules Database Version: 1333

Scan type : Complete Scan
Total Scan Time : 00:37:14

Memory items scanned : 395
Memory threats detected : 0
Registry items scanned : 5265
Registry threats detected : 0
File items scanned : 35815
File threats detected : 36

Adware.Tracking Cookie
C:\Documents and Settings\Yvonne\Cookies\yvonne@adinterax[1].txt
C:\Documents and Settings\Yvonne\Cookies\yvonne@adtech[1].txt
C:\Documents and Settings\Yvonne\Cookies\yvonne@smartmedia.allyes[2].txt
C:\Documents and Settings\Yvonne\Cookies\yvonne@ads.bridgetrack[2].txt
C:\Documents and Settings\Yvonne\Cookies\yvonne@klik.klikadvertising[1].txt
C:\Documents and Settings\Yvonne\Cookies\yvonne@upspiral[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@1.primaryads[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@2o7[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@ad.yieldmanager[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@ad1.clickhype[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@adimages.sina.com[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@ads.addynamix[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@ads.cc214142[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@ads.pointroll[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@advertising[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@atdmt[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@atwola[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@belnk[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@burstnet[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@casalemedia[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@citi.bridgetrack[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@dist.belnk[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@doubleclick[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@ehg-warnerbrothers.hitbox[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@fastclick[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@hitbox[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@maxserving[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@realmedia[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@statcounter[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@stats1.reliablestats[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@tacoda[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@tribalfusion[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@valueclick[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@winfixer[2].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@www.winfixer[1].txt
C:\OLD\Documents and Settings\Yvonne\Cookies\yvonne@z1.adserver[1].txt

#12 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 27 October 2007 - 03:57 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 4:54:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/10/2007
Kaspersky Anti-Virus database records: 419441
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 111627
Number of viruses found: 4
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:33:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Yvonne\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Yvonne\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{331CA1C3-F947-413B-BD51-CA0673136D16}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{331CA1C3-F947-413B-BD51-CA0673136D16}\Microsoft\Outlook Express\Hotmail - 收件匣.dbx Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{331CA1C3-F947-413B-BD51-CA0673136D16}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{331CA1C3-F947-413B-BD51-CA0673136D16}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\History\History.IE5\MSHist012007102720071028\index.dat Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Temp\hpotdd012.log Object is locked skipped
C:\Documents and Settings\Yvonne\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Yvonne\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Yvonne\ntuser.dat.LOG Object is locked skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\Hotmail - 刪除的郵件 (1).dbx/[From from <caimports@Huiyuchunimportr.cm> [db-null]][Date Wed, 01 Feb 2006 19:20:40 -0800]/UNNAMED/[Date 1 Feb 2006 15:54:04 -0800]/CLICK_forMEDS.HTM Infected: Trojan.JS.Redirector.b skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\Hotmail - 刪除的郵件 (1).dbx/[From from <caimports@Huiyuchunimportr.cm> [db-null]][Date Wed, 01 Feb 2006 19:20:40 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\Hotmail - 刪除的郵件 (1).dbx/[From from <caimports@Huiyuchunimportr.cm> [db-null]][Date Wed, 01 Feb 2006 18:48:55 -0-100]/UNNAMED/[Date 1 Feb 2006 07:31:52 -0800]/CLICK_forMEDS.HTM Infected: Trojan.JS.Redirector.b skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\Hotmail - 刪除的郵件 (1).dbx/[From from <caimports@Huiyuchunimportr.cm> [db-null]][Date Wed, 01 Feb 2006 18:48:55 -0-100]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\Hotmail - 刪除的郵件 (1).dbx Mail MS Outlook 5: infected - 4 skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From eBay <support_ref_09341654607834@ebay.com>][Date Sat, 14 Jan 2006 12:12:34 -0300]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From eBay <support_ref_09341654607834@ebay.com>][Date Sat, 14 Jan 2006 12:12:34 -0300]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From hostmaster@yahoo.com.hk][Date Thu, 24 Nov 2005 06:54:56 GMT]/UNNAMED/mail_body.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From hostmaster@yahoo.com.hk][Date Thu, 24 Nov 2005 06:54:56 GMT]/UNNAMED/mail_body.zip Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From hostmaster@yahoo.com.hk][Date Thu, 24 Nov 2005 06:54:56 GMT]/UNNAMED Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From hostmaster@yahoo.com.hk][Date Thu, 24 Nov 2005 06:54:56 GMT]/UNNAMED/mail_body.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From hostmaster@yahoo.com.hk][Date Thu, 24 Nov 2005 06:54:56 GMT]/UNNAMED/mail_body.zip Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From hostmaster@yahoo.com.hk][Date Thu, 24 Nov 2005 06:54:56 GMT]/UNNAMED Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From ckwan@apstar.com][Date Thu, 01 Dec 2005 02:41:40 UTC]/UNNAMED/mailtext.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From ckwan@apstar.com][Date Thu, 01 Dec 2005 02:41:40 UTC]/UNNAMED/mailtext.zip Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From ckwan@apstar.com][Date Thu, 01 Dec 2005 02:41:40 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From info@thomascook.com.hk][Date Wed, 28 Dec 2005 03:13:03 UTC]/UNNAMED/downloadm.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From info@thomascook.com.hk][Date Wed, 28 Dec 2005 03:13:03 UTC]/UNNAMED/downloadm.zip Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx/[From info@thomascook.com.hk][Date Wed, 28 Dec 2005 03:13:03 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y skipped
C:\OLD\Documents and Settings\Yvonne\Local Settings\Application Data\Identities\{03BEB662-FB31-42E0-818A-F7F7CDD73F61}\Microsoft\Outlook Express\刪除的郵件 (1).dbx Mail MS Outlook 5: infected - 14 skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\040ZWTBA.NQF Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vtr.dll.vir Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B2EE98FD-D5A9-41F5-8C90-1F5B77DE5284}\RP209\A0018584.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{B2EE98FD-D5A9-41F5-8C90-1F5B77DE5284}\RP210\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\a2cache_470E9BC4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#13 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 27 October 2007 - 04:01 AM

刪除的郵件 means deleted emails
C:\OLD are files saved from my old computer, I can delete them if it is necessary

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 27 October 2007 - 05:35 AM

刪除的郵件 means deleted emails
C:\OLD are files saved from my old computer, I can delete them if it is necessary

Remove/delete all deleted emails,and delete C:\OLD please.

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#15 HK GIRL

HK GIRL
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 29 October 2007 - 09:58 AM

Scanning Report
Monday, October 29, 2007 17:11:37 - 22:56:34
Computer name: HOME
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 5 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
not-virus:Hoax.Win32.Renos.lq (virus)
C:\qoobox\Quarantine\C\WINDOWS\system32\vtr.dll.vir (Submitted)
C:\Program Files\ESET\infected\040ZWTBA.NQF (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 168355
System: 3979
Not scanned: 46
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 4
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\A2CACHE_0589C641.DAT
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\DLA\TFSMRMSG.ISO
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\PROGRAM FILES\SONIC\DLA\INSTALL\TFSMRMSG.ISO
C:\I386\BIOS1.ROM
C:\I386\TFSMRMSG.ISO
C:\DOCUMENTS AND SETTINGS\YVONNE\NTUSER.DAT
C:\Documents and Settings\Yvonne\My Documents\my pic\Meeting (2).zip\DSC01204.JPG
C:\Documents and Settings\Yvonne\My Documents\my pic\namedphoto1.ZIP\Named.jpg
C:\Documents and Settings\Yvonne\My Documents\friends pic\Level 2.zip\?ĤG?h?݃D.txt
C:\DOCUMENTS AND SETTINGS\YVONNE\MY DOCUMENTS\BACKUP\SETUP\WIN98\DRIVER14.CAB
C:\DOCUMENTS AND SETTINGS\YVONNE\MY DOCUMENTS\BACKUP\SETUP\WIN98\WIN98_54.CAB
C:\DOCUMENTS AND SETTINGS\YVONNE\MY DOCUMENTS\BACKUP\SETUP\WIN98\WIN98_56.CAB
C:\DOCUMENTS AND SETTINGS\YVONNE\LOCAL SETTINGS\TEMP\HPOTDD015.LOG
C:\DOCUMENTS AND SETTINGS\YVONNE\LOCAL SETTINGS\TEMP\IHAF.TMP
C:\DOCUMENTS AND SETTINGS\YVONNE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\YVONNE\LOCAL SETTINGS\APPLICATION DATA\IDENTITIES\{331CA1C3-F947-413B-BD51-CA0673136D16}\MICROSOFT\OUTLOOK EXPRESS\HOTMAIL - ?j?v?l?��X
C:\Documents and Settings\Yvonne\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 10-27-2007 - 11-23-32.SBU\{05A178EA-F1D4-4475-890C-3C8CC719A72C}
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterRegistryTools.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterRegistryTools1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\printer.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\system.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip\winavxx.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip\sbRecovery.reg

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-26
F-Secure AVP: 7.0.171, 2007-10-29
F-Secure Orion: 1.2.37, 2007-10-29
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-15
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users