Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Virus Problems


  • Please log in to reply
28 replies to this topic

#1 wayjing

wayjing

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 28 November 2007 - 07:09 PM

Hi I'm having some computer problems, my computer restarts itself,firewall cannot turn on trendmico wont start.and various other scanners cant start.Can you please look at my log.thank you very much.wayjingLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:15 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NetStreams - {DD1A363E-7803-4d06-923D-367BEE305F94} - http:// (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...171/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

--
End of file - 6760 bytes

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 15 December 2007 - 08:39 AM

Hello wayjing and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 17 December 2007 - 01:35 AM

:thumbsup: Hello and thanks so much for your response,I'm so excited and will be waiting to hear from you.wayjing

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 17 December 2007 - 04:11 AM

oopsie. I forgot to ask for a new log.

Please do the following:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 17 December 2007 - 05:46 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:06 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.EXE
E:\Program Files\a-squared Anti-Malware\a2service.exe
E:\Program Files\a-squared Anti-Malware\a2guard.exe
E:\Program Files\a-squared Anti-Malware\a2HiJackFree.exe
E:\Program Files\a-squared Anti-Malware\a2scan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [Total Uninstall Agent] "C:\Program Files\Total Uninstall 4\TuAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

--
End of file - 7622 bytes

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 17 December 2007 - 03:29 PM

Hey wayjing,

thanks for posting a fresh log.

Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all other windows and browsers, and press the Fix Checked button.

Step #2
  • Download Dr.Web CureIt to the desktop: drweb-cureit.exe
    • Reboot your computer in SAFEMODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click the icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Step #3

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #4

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #5

Please post back with the DrWeb.csv from the DrWebCureIt scan and the main.txt and the extra.txt from the DSS scan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 17 December 2007 - 09:49 PM

hello again,here goes I hope I did everything right.able.Delete5LVGFJAA.NQF;C:\Program Files\Eset\infected;Tool.Prockill;Incurd.;


Deckard's System Scanner v20071014.68
Run by richard on 2007-12-18 10:36:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2007-12-18 18:36:07 UTC - RP23 - Deckard's System Scanner Restore Point
22: 2007-12-17 08:40:23 UTC - RP22 - ComboFix created restore point
21: 2007-12-17 06:02:30 UTC - RP21 - System Checkpoint
20: 2007-12-16 05:19:54 UTC - RP20 - System Checkpoint
19: 2007-12-14 06:33:30 UTC - RP19 - System Checkpoint


-- First Restore Point --
1: 2007-12-02 23:36:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as richard.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:17 AM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware.exe
E:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\richard\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\richard.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Total Uninstall Agent] "C:\Program Files\Total Uninstall 4\TuAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

--
End of file - 7250 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071130-161231-128 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
backup-20071130-162447-771 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
backup-20071130-204315-878 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20071130-204550-841 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
backup-20071201-214020-167 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20071201-214147-796 O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
backup-20071201-214634-150 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
backup-20071201-221138-780 O9 - Extra button: NetStreams - {DD1A363E-7803-4d06-923D-367BEE305F94} - http:// (file missing)
backup-20071201-221550-157 O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
backup-20071202-224454-334 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071202-224536-934 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071202-224720-122 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071202-224744-249 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071203-131812-422 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071203-131837-171 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071203-131857-458 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071204-135558-485 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071216-120114-122 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071216-222258-386 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20071216-225317-153 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20071216-225317-187 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20071217-002036-873 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071217-171155-107 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071217-223950-289 O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
backup-20071218-080816-123 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071218-080816-954 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - e:\program files\sasdifsv.sys
R1 SASKUTIL - e:\program files\saskutil.sys
R1 VFILT (Outpost Firewall Kernel Driver) - c:\program files\agnitum\outpost firewall 1.0\kernel\2000\filtnt.sys <Not Verified; Agnitum; Virtual Firewall>
R3 ADBLOCK.DLL (Outpost Firewall PlugIn (ADBLOCK.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\adblock.dll <Not Verified; Agnitum; Outpost Firewall>
R3 CONTENT.DLL (Outpost Firewall PlugIn (CONTENT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\content.dll <Not Verified; Agnitum; Outpost Firewall>
R3 DNSCACHE.DLL (Outpost Firewall PlugIn (DNSCACHE.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\dnscache.dll <Not Verified; Agnitum; Outpost Firewall>
R3 FTPFILT.DLL (Outpost Firewall PlugIn (FTPFILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\ftpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 HTMLFILT.DLL (Outpost Firewall PlugIn (HTMLFILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\htmlfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 HTTPFILT.DLL (Outpost Firewall PlugIn (HTTPFILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\httpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 IMAPFILT.DLL (Outpost Firewall PlugIn (IMAPFILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\imapfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 MAILFILT.DLL (Outpost Firewall PlugIn (MAILFILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\mailfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 NNTPFILT.DLL (Outpost Firewall PlugIn (NNTPFILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\nntpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 POP3FILT.DLL (Outpost Firewall PlugIn (POP3FILT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\pop3filt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 PROTECT.DLL (Outpost Firewall PlugIn (PROTECT.DLL)) - c:\program files\agnitum\outpost firewall 1.0\kernel\protect.dll <Not Verified; Agnitum; Outpost Firewall>
R3 SASENUM - e:\program files\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\richard\locals~1\temp\catchme.sys (file missing)
S3 cmuda (C-Media WDM Audio Interface) - c:\windows\system32\drivers\cmuda.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
S3 RapDrv - c:\windows\system32\drivers\rapdrv.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 SABProcEnum - c:\progra~1\mozill~1\sabprocenum.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S4 black - c:\windows\system32\drivers\blackdrv.sys <Not Verified; Internet Security Systems, Inc.; ICEpac>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 OutpostFirewall (Outpost Firewall Service) - c:\progra~1\agnitum\outpos~1.0\outpost.exe /service <Not Verified; Agnitum; Outpost Firewall>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 AVP (Kaspersky Anti-Virus 6.0) - "c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avp.exe" -r (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description:
Device ID: ROOT\WPD\0000
Manufacturer:
Name:
PNP Device ID: ROOT\WPD\0000
Service:


-- Files created between 2007-11-18 and 2007-12-18 -----------------------------

2007-12-18 08:18:20 0 d-------- C:\Documents and Settings\richard\DoctorWeb
2007-12-18 00:45:56 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-12-17 12:48:13 0 d-------- C:\Downloads
2007-12-16 21:42:15 0 d-------- C:\ERDNT
2007-12-16 11:10:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-16 10:31:07 0 d-------- C:\Program Files\Common Files\Panda Software
2007-12-07 10:10:47 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-12-07 08:05:16 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 08:05:08 0 d-------- C:\Documents and Settings\richard\Application Data\SUPERAntiSpyware.com
2007-12-07 08:03:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 09:35:08 0 d-------- C:\Program Files\EsetOnlineScanner
2007-12-06 08:53:21 0 d-------- C:\Documents and Settings\richard\Application Data\Cyberlink
2007-12-04 18:47:22 0 d-------- C:\Documents and Settings\richard\.housecall6.6
2007-12-04 16:37:57 0 d-------- C:\WINDOWS\AU_Temp
2007-12-04 14:08:37 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-03 15:49:26 0 d-------- C:\WINDOWS\report
2007-12-03 15:49:09 0 d-------- C:\WINDOWS\AU_Backup
2007-12-03 15:49:08 267845 --a------ C:\WINDOWS\tsc.exe <Not Verified; Trend Micro Inc.; TrendSystemCleaner>
2007-12-03 15:49:08 71749 --a------ C:\WINDOWS\hcextoutput.dll
2007-12-03 15:49:07 1163344 --a------ C:\WINDOWS\vsapi32.dll <Not Verified; Trend Micro Inc.; VSAPI>
2007-12-03 15:49:07 86094 --a------ C:\WINDOWS\BPMNT.dll <Not Verified; Trend Micro Inc.; VSAPI>
2007-12-03 15:45:24 0 d-------- C:\WINDOWS\AU_Log
2007-12-03 15:45:18 69689 --a------ C:\WINDOWS\UNZIP.DLL <Not Verified; Trend Micro Inc.; Trend Active Update 1.32>
2007-12-03 15:45:18 507904 --a------ C:\WINDOWS\TMUPDATE.DLL <Not Verified; Trend Micro Inc.; ActiveUpdate Module>
2007-12-03 15:45:18 286720 --a------ C:\WINDOWS\PATCH.EXE <Not Verified; Trend Micro Inc.; ActiveUpdate Module>
2007-12-03 13:14:24 0 dr-h----- C:\Documents and Settings\richard\Recent
2007-12-02 21:31:49 0 d-------- C:\Documents and Settings\richard\Application Data\Help
2007-12-02 19:08:42 4032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2007-12-02 19:08:42 36864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2007-12-02 19:08:42 57696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2007-12-02 19:08:32 0 d-------- C:\WINDOWS\system32\CBA
2007-12-02 19:08:31 0 d-------- C:\Program Files\Symantec
2007-12-02 19:08:20 0 d-------- C:\Program Files\NavNT
2007-12-02 18:47:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-02 18:46:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-02 18:36:29 599840 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-02 18:36:29 1523744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-02 18:23:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Martau
2007-12-02 18:22:51 0 d-------- C:\Program Files\Total Uninstall 4
2007-12-02 17:16:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-02 17:08:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-01 23:10:20 0 d-------- C:\WINDOWS\SDFIX
2007-11-30 16:07:35 0 d--hs---- C:\WINDOWS\CSC
2007-11-29 16:24:37 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2007-11-29 07:44:44 0 d-------- C:\Program Files\Trend Micro
2007-11-29 00:40:09 0 d-------- C:\Documents and Settings\richard\Application Data\Uniblue
2007-11-27 20:23:30 0 d-------- C:\WINDOWS\McAfee.com
2007-11-25 01:56:13 0 d-------- C:\WINDOWS\network diagnostic
2007-11-24 22:18:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-11-24 22:10:23 0 d-------- C:\WINDOWS\system32\PreInstall
2007-11-24 22:10:21 0 d--h----- C:\WINDOWS\$hf_mig$
2007-11-23 23:05:34 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-11-22 14:54:16 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-11-22 14:48:45 0 d-------- C:\Program Files\Agnitum


-- Find3M Report ---------------------------------------------------------------

2007-12-16 10:31:07 0 d-------- C:\Program Files\Common Files
2007-12-07 10:10:48 4623 --a------ C:\WINDOWS\mozver.dat
2007-12-02 22:18:33 0 d-------- C:\Documents and Settings\richard\Application Data\Lavasoft
2007-11-22 14:48:48 0 d-------- C:\Program Files\Common Files\Agnitum Shared
2007-11-12 23:58:46 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-12 22:48:10 0 d-------- C:\Program Files\Ahead
2007-11-12 22:45:42 0 d-------- C:\Program Files\Common Files\Ahead
2007-11-12 22:33:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-12 22:31:59 0 d-------- C:\Program Files\CyberLink
2007-11-07 12:24:00 0 d-------- C:\Documents and Settings\richard\Application Data\AdobeUM
2007-11-06 23:56:47 0 d-------- C:\Documents and Settings\richard\Application Data\Hewlett-Packard
2007-11-06 23:34:33 0 d-------- C:\Program Files\Hewlett-Packard
2007-11-05 14:29:57 0 d-------- C:\Documents and Settings\richard\Application Data\Yahoo!
2007-10-25 17:36:13 0 d-------- C:\Documents and Settings\richard\Application Data\vlc
2007-10-22 21:42:26 0 d-------- C:\Program Files\Yahoo!
2007-10-22 20:41:30 1806 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-21 11:09:48 192 --a------ C:\WINDOWS\system32\tbhi.dat
2007-10-03 23:36:46 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" [06/14/2002 04:20 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 11:22 AM]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [08/29/2004 06:22 AM C:\WINDOWS\SOUNDMAN.EXE]
"a-squared"="E:\Program Files\a-squared Anti-Malware\a2guard.exe" [12/17/2007 09:06 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [12/18/2007 12:45 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Total Uninstall Agent"="C:\Program Files\Total Uninstall 4\TuAgent.exe" [08/19/2007 10:48 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SASWINLO.dll 04/19/2007 01:41 PM 294912 E:\Program Files\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"E:\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
"E:\Program Files\Multimedia Launcher\PowerBar.exe" /AtBootTime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"E:\Program Files\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
E:\Acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"PowerBar"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"<NO NAME>"=
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto




-- End of Deckard's System Scanner: finished at 2007-12-18 10:37:48 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.66GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 511.48 MiB / 222.06 MiB
Pagefile Memory (total/avail): 1633.27 MiB / 1405.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.93 MiB

C: is Fixed (NTFS) - 9.77 GiB total, 2.61 GiB free.
D: is Fixed (NTFS) - 9.77 GiB total, 4.06 GiB free.
E: is Fixed (NTFS) - 9.77 GiB total, 0.86 GiB free.
F: is Fixed (NTFS) - 45.26 GiB total, 14.34 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SV0813H - 74.56 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 64.79 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\a-squared Anti-Malware\\a2upd.exe"="E:\\Program Files\\a-squared Anti-Malware\\a2upd.exe:*:Enabled:a2upd"
"E:\\Program Files\\a-squared Anti-Malware\\a2scan.exe"="E:\\Program Files\\a-squared Anti-Malware\\a2scan.exe:*:Enabled:a-squared Scanner"
"E:\\Program Files\\SUPERAntiSpyware.exe"="E:\\Program Files\\SUPERAntiSpyware.exe:*:Enabled:SUPERAntiSpyware Free Edition"
"F:\\ewido_micro.exe"="F:\\ewido_micro.exe:*:Enabled:ewido_micro"
"E:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Aware.exe"="E:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Aware.exe:*:Enabled:Ad-Aware SE Professional"
"E:\\Program Files\\a-squared Anti-Malware\\a2service.exe"="E:\\Program Files\\a-squared Anti-Malware\\a2service.exe:*:Enabled:a2service"
"E:\\Program Files\\a-squared Anti-Malware\\a2start.exe"="E:\\Program Files\\a-squared Anti-Malware\\a2start.exe:*:Enabled:a-squared Security Center"
"C:\\Program Files\\Eset\\nod32.exe"="C:\\Program Files\\Eset\\nod32.exe:*:Enabled:NOD32"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\richard\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WORKGROU-FECA64
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\richard
LOGONSERVER=\\WORKGROU-FECA64
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\richard\LOCALS~1\Temp
TMP=C:\DOCUME~1\richard\LOCALS~1\Temp
USERDOMAIN=WORKGROU-FECA64
USERNAME=richard
USERPROFILE=C:\Documents and Settings\richard
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

richard (admin)
laura
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.1 --> "E:\Program Files\a-squared Anti-Malware\unins000.exe"
Ad-Aware SE Professional --> E:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE E:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Agnitum Outpost Firewall 1.0 --> "C:\Program Files\Agnitum\Outpost Firewall 1.0\uninst.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{CE6825B7-B5E2-4475-A549-4C04A83427FE}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
C-Media WDM Audio Driver --> C:\WINDOWS\system32\cmirmdrv.exe
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
eMule --> "F:\Program Files\eMule\Uninstall.exe"
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
GetRight --> E:\Program Files\GetRight\GETRIGHT.EXE /UNINSTALL
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp deskjet 3500 --> msiexec /x{8FD62EBB-3175-4907-A326-989B14E5C757}
hp deskjet 3500 series --> rundll32 hpzcon08.dll,VendorJettison hp deskjet 3500 series
HP Photo and Imaging 2.0 - Deskjet Series --> MsiExec.exe /I{E0828692-FD9D-459F-9312-C645C3CA6650}
hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Language pack for Ad-Aware SE --> E:\Plugins\Langs\UNWISE.EXE E:\Plugins\Langs\INSTALL.LOG
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "E:\Eset\unins000.exe"
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Recover My Files --> "D:\Program Files\Recover My Files\unins000.exe"
SpywareBlaster v3.5.1 --> "E:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Total Uninstall v4.21 ºº»¯°æ --> "C:\Program Files\Total Uninstall 4\unins000.exe"
TVUPlayer 2.3.3.2 --> E:\Program Files\TVUPlayer\uninst.exe
VideoLAN VLC media player 0.8.6c --> E:\Program Files\VLC\uninstall.exe
Vimicro USB PC Camera (VC0305) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AD824A5-1CCC-4BB7-82C9-E6FB25CC0479}\setup.exe" -l0x9
Vimicro USB PC Camera (ZC301PLH) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\setup.exe" -l0x9
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> E:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE E:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type5631 / Error
Event Submitted/Written: 12/18/2007 08:02:42 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20071.12718, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5627 / Warning
Event Submitted/Written: 12/18/2007 02:20:29 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5619 / Warning
Event Submitted/Written: 12/18/2007 00:21:36 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not open file C:\Documents and Settings\richard\NTUSER~1.LOG [00000003]

Event Record #/Type5618 / Warning
Event Submitted/Written: 12/18/2007 00:21:36 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not open file C:\Documents and Settings\richard\NTUSER.DAT [00000003]

Event Record #/Type5617 / Warning
Event Submitted/Written: 12/18/2007 00:21:34 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not open file C:\Documents and Settings\richard\Local Settings\Temporary Internet Files\Content.IE5\index.dat [00000003]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11598 / Warning
Event Submitted/Written: 12/18/2007 10:22:06 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00E04A00EF22. The IP address being used is 169.254.64.184.

Event Record #/Type11594 / Error
Event Submitted/Written: 12/18/2007 10:20:03 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type11593 / Error
Event Submitted/Written: 12/18/2007 10:19:56 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type11592 / Error
Event Submitted/Written: 12/18/2007 10:18:26 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type11591 / Error
Event Submitted/Written: 12/18/2007 08:17:42 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
nod32drv
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
VFILT
WS2IFSL



-- End of Deckard's System Scanner: finished at 2007-12-18 10:37:48 ------------

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 19 December 2007 - 12:40 AM

Hey Wayjing,

I see you ran ComboFix and SDFix prior to asking for help. This is not really advisable as you may damage your pc when running these tools without guidance.

It seems you have Agnitum Outpost Firewall installed but not running.

I know that firewalls can be a hassle for some games and other programs, but please consider for a second what is more annoying to you - the recurring task of having to clean up your machine of an infection due to lack of protection, or having to train your firewall once for future prevention of being infected again. Considering, that you might even have to change all your passwords in the worst-case scenario, I just personally think that the latter is the best option.

The Windows firewall is better than nothing, but doesn't monitor outgoing packets very well. A third party firewall will bug you with a lot of deny or allow questions for a while, but you should be able to tell it to remember your decision so after about a week or so you will rarely be asked for a decision. It's up to you, I just think you should really give it a try. For a bit more on the firewall thing, have a read here: http://www.us-cert.gov/cas/tips/ST04-004.html.

You have a lot of Antivirus / Antispyware programmes installed. This is not necessarily and may cause your system to be slow and steal some of your already low system resources (you should consider buying more Ram).

Step #1

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Emule). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (ie the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #2

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Java™ 6 Update 2, Java™ SE Runtime Environment 6 Update 1

Step #3

Lets download ComboFix again from here.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.)
  • Close any open browsers
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log in your next reply together with a new HijackThis log
Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Step #4

Please post back with a fresh HijackThis log and the ComboFix log.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 19 December 2007 - 02:59 AM

Hello Yourhighness, I did as you said but on the java thing there was two Java™ 6 Update 2 and one Java™ 6 Update3
and one SE Runtime Environment 6 Update 1 so I uninstalled all,hope that was right. On the firewall thing I couldn't turn it on, no matter what I did but when I ran the combofix it came back and turned on. Here are the latest scans,thanks.


ComboFix 07-12-19.2 - richard 2007-12-19 15:22:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.157 [GMT -8:00]
Running from: C:\Documents and Settings\richard\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-18 19:36 . 2007-12-18 19:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-18 19:36 . 2007-12-18 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 18:47 . 2007-12-18 18:47 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-18 08:18 . 2007-12-18 08:18 <DIR> d-------- C:\Documents and Settings\richard\DoctorWeb
2007-12-18 00:45 . 2007-12-18 00:45 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-12-18 00:45 . 2007-12-18 00:45 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-12-18 00:45 . 2007-12-18 00:45 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-12-17 12:48 . 2007-12-17 12:48 <DIR> d-------- C:\Downloads
2007-12-16 21:42 . 2007-12-16 21:44 <DIR> d-------- C:\ERDNT
2007-12-16 21:16 . 2007-12-18 20:21 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-16 11:10 . 2007-12-16 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-16 10:31 . 2007-12-16 11:19 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-12-09 09:36 . 2004-08-29 06:22 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll
2007-12-07 23:39 . 2007-07-30 19:19 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-12-07 23:39 . 2007-07-30 19:19 53,080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-12-07 10:10 . 2007-12-18 14:02 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-12-07 08:05 . 2007-12-07 08:05 <DIR> d-------- C:\Documents and Settings\richard\Application Data\SUPERAntiSpyware.com
2007-12-07 08:05 . 2007-12-07 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 08:03 . 2007-12-07 08:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 09:35 . 2007-12-06 22:14 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-06 08:53 . 2007-12-06 08:53 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Cyberlink
2007-12-04 18:47 . 2007-12-05 21:52 <DIR> d-------- C:\Documents and Settings\richard\.housecall6.6
2007-12-04 17:29 . 2007-12-04 17:28 39,823,741 --a------ C:\WINDOWS\LPT$VPN.859
2007-12-04 17:28 . 2007-12-04 17:28 39,823,741 --a------ C:\WINDOWS\VPTNFILE.859
2007-12-04 16:37 . 2007-12-04 17:28 <DIR> d-------- C:\WINDOWS\AU_Temp
2007-12-04 14:08 . 2007-12-04 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-03 15:49 . 2007-12-04 17:30 <DIR> d-------- C:\WINDOWS\report
2007-12-03 15:49 . 2007-12-04 17:28 <DIR> d-------- C:\WINDOWS\AU_Backup
2007-12-03 15:49 . 2007-12-04 17:28 1,899,383 --a------ C:\WINDOWS\tsc.ptn
2007-12-03 15:49 . 2007-12-04 17:28 1,163,344 --a------ C:\WINDOWS\vsapi32.dll
2007-12-03 15:49 . 2007-12-04 17:28 267,845 --a------ C:\WINDOWS\tsc.exe
2007-12-03 15:49 . 2007-12-04 17:28 86,094 --a------ C:\WINDOWS\BPMNT.dll
2007-12-03 15:49 . 2007-12-04 17:28 71,749 --a------ C:\WINDOWS\hcextoutput.dll
2007-12-03 15:49 . 2007-12-04 18:36 823 --a------ C:\WINDOWS\tsc.ini
2007-12-03 15:45 . 2007-12-03 15:45 <DIR> d-------- C:\WINDOWS\AU_Log
2007-12-03 15:45 . 2007-12-03 15:45 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL
2007-12-03 15:45 . 2007-12-03 15:45 286,720 --a------ C:\WINDOWS\PATCH.EXE
2007-12-03 15:45 . 2007-12-03 15:45 69,689 --a------ C:\WINDOWS\UNZIP.DLL
2007-12-02 19:29 . 2007-12-02 19:29 0 --a------ C:\WINDOWS\VPC32.INI
2007-12-02 19:08 . 2007-12-02 19:08 <DIR> d-------- C:\WINDOWS\system32\CBA
2007-12-02 19:08 . 2007-12-02 19:09 <DIR> d-------- C:\Program Files\Symantec
2007-12-02 19:08 . 2007-12-14 21:22 <DIR> d-------- C:\Program Files\NavNT
2007-12-02 19:08 . 2001-09-24 08:29 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2007-12-02 19:08 . 2001-09-24 08:29 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 19:08 . 2001-09-24 08:29 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-02 19:08 . 2001-09-24 08:29 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2007-12-02 19:00 . 2007-12-02 19:00 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-02 18:47 . 2007-12-02 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-02 18:46 . 2007-12-02 19:33 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-02 18:36 . 2007-12-06 16:42 1,523,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-02 18:36 . 2007-12-06 16:42 599,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-02 18:36 . 2007-12-06 16:42 59,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-02 18:36 . 2007-12-06 16:42 22,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-02 18:23 . 2007-12-02 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Martau
2007-12-02 18:22 . 2007-12-14 12:25 <DIR> d-------- C:\Program Files\Total Uninstall 4
2007-12-01 23:24 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-01 23:10 . 2007-12-01 23:10 <DIR> d-------- C:\WINDOWS\SDFIX
2007-11-29 18:41 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-11-29 18:41 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-11-29 16:24 . 2007-01-18 13:38 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-11-29 11:18 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-29 07:44 . 2007-11-29 07:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 00:40 . 2007-11-29 00:40 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Uniblue
2007-11-27 20:23 . 2007-11-27 20:23 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-11-26 22:47 . 2007-11-26 22:47 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-24 22:10 . 2007-11-25 06:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-24 22:10 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-22 14:48 . 2007-11-22 14:48 <DIR> d-------- C:\Program Files\Agnitum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 06:18 --------- d-----w C:\Documents and Settings\richard\Application Data\Lavasoft
2007-11-22 22:48 --------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-11-13 07:58 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-13 06:48 --------- d-----w C:\Program Files\Ahead
2007-11-13 06:45 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-13 06:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 06:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-11-13 06:31 --------- d-----w C:\Program Files\CyberLink
2007-11-12 02:58 --------- d-----w C:\Documents and Settings\Guest\Application Data\vlc
2007-11-07 20:24 --------- d-----w C:\Documents and Settings\richard\Application Data\AdobeUM
2007-11-07 07:56 --------- d-----w C:\Documents and Settings\richard\Application Data\Hewlett-Packard
2007-11-07 07:34 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-05 22:29 --------- d-----w C:\Documents and Settings\richard\Application Data\Yahoo!
2007-10-26 01:36 --------- d-----w C:\Documents and Settings\richard\Application Data\vlc
2007-10-24 00:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-23 05:42 --------- d-----w C:\Program Files\Yahoo!
2007-10-21 19:09 10 ----a-w C:\WINDOWS\system32\drivers\tmbi.sys
2007-10-20 06:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-20 01:39 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-10-04 07:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2004-03-11 21:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-07-23 20:19 5 --sha-w C:\WINDOWS\system32\dfeadc_s.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_ 0.42.58.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-06 23:59:11 300,680 ----a-w C:\WINDOWS\Downloaded Program Files\arclib.dll
+ 2007-11-19 00:18:55 13,076,520 ----a-w C:\WINDOWS\Downloaded Program Files\vet.dat
- 2007-12-07 18:10:48 4,623 ----a-w C:\WINDOWS\mozver.dat
+ 2007-12-18 20:05:03 5,140 ----a-w C:\WINDOWS\mozver.dat
+ 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" [2002-06-14 16:20]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\rundll32.exe]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [2004-08-29 06:22 C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-18 00:45]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ E:\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2002-12-17 11:40 49152 -ra------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-03-11 00:08 172032 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-07 05:25 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
E:\Program Files\Multimedia Launcher\PowerBar.exe /AtBootTime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 --a------ E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Total Uninstall Agent]
2007-08-19 22:48 602416 --a------ C:\Program Files\Total Uninstall 4\TuAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
E:\Acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"PowerBar"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"<NO NAME>"=
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 16:19]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2002-06-14 16:20]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 16:20]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 16:19]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 16:20]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 16:20]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 16:20]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 16:20]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 16:20]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 16:20]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 16:20]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 16:20]
S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-02-25 18:26]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 18:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 18:26]
S4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2005-03-30 09:40]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 15:23:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-19 15:25:19
.
2007-11-25 13:56:40 --- E O F ---


new Hijack log Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:31 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

--
End of file - 6899 bytes

#10 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 19 December 2007 - 03:06 AM

Hello Yourhighness Sorry I forgot to ask do I reinstall java at this time or wait.thanks again. Wayjing

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 19 December 2007 - 03:46 AM

Hey there,

Hello Yourhighness, I did as you said but on the java thing there was two Java™ 6 Update 2 and one Java™ 6 Update3
and one SE Runtime Environment 6 Update 1 so I uninstalled all,hope that was right.

Actually not completely. You removed your new version as well. The ones I asked for where: Java™ 6 Update 2, Java™ SE Runtime Environment 6 Update 1 and are the old versions on your pc. Leaving old versions on the pc can leave you open to attacks using "security holes" in these softwares. Please visit the java site again and download the latest version.

I am at work now so will have to look at your logs later tonight. There is no need to post new logs after installing the Java update. We will work with what you posted above.

Thanks for your understanding.

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 20 December 2007 - 09:48 AM

Hey Wayjing,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    http://www.bleepingcomputer.com/forums/t/118743/malware-virus-problems/?p=689685
    
    Suspect::
    C:\WINDOWS\PATCH.EXE
    C:\WINDOWS\system32\dfeadc_s.dll
    
    Folder::
    C:\WINDOWS\SDFIX
    
    File::
    C:\WINDOWS\system32\WS2Fix.exe
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #3

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Step #4

Please post back with the ComboFix log, a fresh HijackThis log and the log from the NOD32 scan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 20 December 2007 - 12:24 PM

Hello again Yourhighness,Wow you really got your work cut out for you on this one,I thought I knew a little something about computers,not.Just hope I followed your instructions to the tee.And thanks again for all your hard work.
I hope this is what you're asking for when you said post the link, http://www.bleepingcomputer.com/pf.php


And here are the scans...
ComboFix 07-12-19.2 - richard 2007-12-20 23:26:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT -8:00]
Running from: C:\Documents and Settings\richard\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\richard\My Documents\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SDFIX
C:\WINDOWS\SDFIX\ERUNT\SDFIX\default
C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNT.CON
C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNT.EXE
C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNT.INF
C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNTDOS.LOC
C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNTWIN.LOC
C:\WINDOWS\SDFIX\ERUNT\SDFIX\SAM
C:\WINDOWS\SDFIX\ERUNT\SDFIX\SECURITY
C:\WINDOWS\SDFIX\ERUNT\SDFIX\software
C:\WINDOWS\SDFIX\ERUNT\SDFIX\system
C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\default
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNT.CON
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNT.EXE
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNT.INF
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNTDOS.LOC
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNTWIN.LOC
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\SAM
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\SECURITY
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\software
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\system
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
C:\WINDOWS\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-19 23:13 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-19 23:12 . 2007-12-19 23:13 <DIR> d-------- C:\Program Files\Java
2007-12-19 23:10 . 2007-12-19 23:10 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-18 19:36 . 2007-12-18 19:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-18 18:47 . 2007-12-18 18:47 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-18 10:35 . 2007-12-18 10:35 <DIR> d-------- C:\Deckard
2007-12-18 08:18 . 2007-12-18 08:18 <DIR> d-------- C:\Documents and Settings\richard\DoctorWeb
2007-12-18 00:45 . 2007-12-18 00:45 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-12-18 00:45 . 2007-12-18 00:45 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-12-18 00:45 . 2007-12-18 00:45 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-12-17 12:48 . 2007-12-17 12:48 <DIR> d-------- C:\Downloads
2007-12-16 21:42 . 2007-12-16 21:44 <DIR> d-------- C:\ERDNT
2007-12-16 11:10 . 2007-12-16 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-16 10:31 . 2007-12-16 11:19 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-12-09 09:36 . 2004-08-29 06:22 65,536 --a------ C:\WINDOWS\system32\Audio3D.dll
2007-12-07 23:39 . 2007-07-30 19:19 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-12-07 23:39 . 2007-07-30 19:19 53,080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-12-07 10:10 . 2007-12-18 14:02 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-12-07 08:05 . 2007-12-07 08:05 <DIR> d-------- C:\Documents and Settings\richard\Application Data\SUPERAntiSpyware.com
2007-12-07 08:05 . 2007-12-07 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 08:03 . 2007-12-07 08:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 09:35 . 2007-12-06 22:14 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-06 08:53 . 2007-12-06 08:53 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Cyberlink
2007-12-04 18:47 . 2007-12-05 21:52 <DIR> d-------- C:\Documents and Settings\richard\.housecall6.6
2007-12-04 17:29 . 2007-12-04 17:28 39,823,741 --a------ C:\WINDOWS\LPT$VPN.859
2007-12-04 17:28 . 2007-12-04 17:28 39,823,741 --a------ C:\WINDOWS\VPTNFILE.859
2007-12-04 16:37 . 2007-12-04 17:28 <DIR> d-------- C:\WINDOWS\AU_Temp
2007-12-04 14:08 . 2007-12-04 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-03 15:49 . 2007-12-04 17:30 <DIR> d-------- C:\WINDOWS\report
2007-12-03 15:49 . 2007-12-04 17:28 <DIR> d-------- C:\WINDOWS\AU_Backup
2007-12-03 15:49 . 2007-12-04 17:28 1,899,383 --a------ C:\WINDOWS\tsc.ptn
2007-12-03 15:49 . 2007-12-04 17:28 1,163,344 --a------ C:\WINDOWS\vsapi32.dll
2007-12-03 15:49 . 2007-12-04 17:28 267,845 --a------ C:\WINDOWS\tsc.exe
2007-12-03 15:49 . 2007-12-04 17:28 86,094 --a------ C:\WINDOWS\BPMNT.dll
2007-12-03 15:49 . 2007-12-04 17:28 71,749 --a------ C:\WINDOWS\hcextoutput.dll
2007-12-03 15:49 . 2007-12-04 18:36 823 --a------ C:\WINDOWS\tsc.ini
2007-12-03 15:45 . 2007-12-03 15:45 <DIR> d-------- C:\WINDOWS\AU_Log
2007-12-03 15:45 . 2007-12-03 15:45 507,904 --a------ C:\WINDOWS\TMUPDATE.DLL
2007-12-03 15:45 . 2007-12-03 15:45 286,720 --a------ C:\WINDOWS\PATCH.EXE
2007-12-03 15:45 . 2007-12-03 15:45 69,689 --a------ C:\WINDOWS\UNZIP.DLL
2007-12-02 19:29 . 2007-12-02 19:29 0 --a------ C:\WINDOWS\VPC32.INI
2007-12-02 19:08 . 2007-12-02 19:08 <DIR> d-------- C:\WINDOWS\system32\CBA
2007-12-02 19:08 . 2007-12-02 19:09 <DIR> d-------- C:\Program Files\Symantec
2007-12-02 19:08 . 2007-12-14 21:22 <DIR> d-------- C:\Program Files\NavNT
2007-12-02 19:08 . 2001-09-24 08:29 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2007-12-02 19:08 . 2001-09-24 08:29 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 19:08 . 2001-09-24 08:29 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-02 19:08 . 2001-09-24 08:29 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2007-12-02 19:00 . 2007-12-02 19:00 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-02 18:47 . 2007-12-02 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-02 18:46 . 2007-12-02 19:33 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-02 18:36 . 2007-12-06 16:42 1,523,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-02 18:36 . 2007-12-06 16:42 599,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-02 18:36 . 2007-12-06 16:42 59,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-02 18:36 . 2007-12-06 16:42 22,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-02 18:23 . 2007-12-02 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Martau
2007-12-02 18:22 . 2007-12-14 12:25 <DIR> d-------- C:\Program Files\Total Uninstall 4
2007-12-01 23:24 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-11-29 18:41 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-11-29 18:41 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-11-29 16:24 . 2007-01-18 13:38 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-11-29 11:18 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-11-29 07:44 . 2007-11-29 07:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 00:40 . 2007-11-29 00:40 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Uniblue
2007-11-27 20:23 . 2007-11-27 20:23 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-11-26 22:47 . 2007-11-26 22:47 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-24 22:10 . 2007-12-20 12:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-24 22:10 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-22 14:48 . 2007-11-22 14:48 <DIR> d-------- C:\Program Files\Agnitum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 06:18 --------- d-----w C:\Documents and Settings\richard\Application Data\Lavasoft
2007-11-22 22:48 --------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 07:58 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-13 06:48 --------- d-----w C:\Program Files\Ahead
2007-11-13 06:45 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-13 06:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 06:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-11-13 06:31 --------- d-----w C:\Program Files\CyberLink
2007-11-12 02:58 --------- d-----w C:\Documents and Settings\Guest\Application Data\vlc
2007-11-07 20:24 --------- d-----w C:\Documents and Settings\richard\Application Data\AdobeUM
2007-11-07 07:56 --------- d-----w C:\Documents and Settings\richard\Application Data\Hewlett-Packard
2007-11-07 07:34 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-05 22:29 --------- d-----w C:\Documents and Settings\richard\Application Data\Yahoo!
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-26 01:36 --------- d-----w C:\Documents and Settings\richard\Application Data\vlc
2007-10-24 00:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-23 05:42 --------- d-----w C:\Program Files\Yahoo!
2007-10-21 19:09 10 ----a-w C:\WINDOWS\system32\drivers\tmbi.sys
2007-10-20 01:39 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2004-03-11 21:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-07-23 20:19 5 --sha-w C:\WINDOWS\system32\dfeadc_s.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_ 0.42.58.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-06 23:59:11 300,680 ----a-w C:\WINDOWS\Downloaded Program Files\arclib.dll
+ 2007-11-19 00:18:55 13,076,520 ----a-w C:\WINDOWS\Downloaded Program Files\vet.dat
- 2007-12-07 18:10:48 4,623 ----a-w C:\WINDOWS\mozver.dat
+ 2007-12-20 07:15:12 5,140 ----a-w C:\WINDOWS\mozver.dat
- 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-10-11 06:13:44 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-10-11 06:13:44 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-10-11 06:13:44 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-08-22 13:12:15 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-10-11 06:13:44 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-08-22 13:12:15 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2007-10-11 06:13:44 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-08-22 13:12:16 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2007-10-11 06:13:44 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2007-08-22 13:12:16 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-22 13:12:16 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-11 06:13:44 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-21 10:30:45 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-10-10 11:16:27 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-08-22 13:12:16 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-10-11 06:13:44 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-08-22 13:12:16 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-10-11 06:13:44 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-08-22 13:12:16 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00:00 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 10:05:47 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
- 2004-08-04 12:00:00 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
- 2004-08-04 12:00:00 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
- 2004-08-04 12:00:00 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
- 2004-08-04 12:00:00 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
- 2004-08-04 12:00:00 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
- 2004-08-04 12:00:00 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:46:59 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
- 2004-08-04 12:00:00 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
- 2004-08-04 12:00:00 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
+ 2007-07-06 12:46:59 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-08-22 13:12:17 3,058,176 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-22 13:12:17 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-22 13:12:17 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-11 06:13:45 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-22 13:12:17 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-11 06:13:45 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-22 13:12:17 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2005-08-30 03:54:26 1,287,168 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-22 13:12:18 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2007-10-11 06:13:45 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-08-22 13:12:18 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2007-10-11 06:13:45 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-08-22 13:12:18 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-11 06:13:45 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-22 13:12:18 658,944 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-11 06:13:45 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2005-01-28 20:44:28 224,768 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-28 01:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-04 12:00:00 72,960 -c--a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2007-08-22 13:12:16 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-22 13:12:16 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-11 06:13:44 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-22 13:12:16 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-10-11 06:13:44 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-08-22 13:12:16 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-10-11 06:13:44 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-09-25 05:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 05:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 06:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-08-22 13:12:16 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 12:00:00 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 12:00:00 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 12:00:00 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 12:00:00 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 12:00:00 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 12:00:00 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 12:00:00 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 12:00:00 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-08-22 13:12:17 3,058,176 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-22 13:12:17 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-22 13:12:17 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-11 06:13:45 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-22 13:12:17 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-11 06:13:45 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-22 13:12:17 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-10-11 06:13:45 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-10-11 06:13:45 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-08-22 13:12:18 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-11 06:13:45 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-22 13:12:18 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-11 06:13:45 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-12-21 06:47:13 39,742,107 ----a-w C:\WINDOWS\TEMP\a2cache_3A7CA809.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2002-06-14 16:20]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\rundll32.exe]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [2004-08-29 06:22 C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-18 00:45]
"a-squared"="E:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-12-19 16:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ E:\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2002-12-17 11:40 49152 -ra------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-03-11 00:08 172032 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-07 05:25 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
E:\Program Files\Multimedia Launcher\PowerBar.exe /AtBootTime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 --a------ E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Total Uninstall Agent]
2007-08-19 22:48 602416 --a------ C:\Program Files\Total Uninstall 4\TuAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
E:\Acrobat\AdobeUpdateManager.exe AcPro7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVP"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"PowerBar"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"<NO NAME>"=
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 16:19]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2002-06-14 16:20]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 16:20]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 16:19]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 16:20]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 16:20]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 16:20]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 16:20]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 16:20]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 16:20]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 16:20]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 16:20]
S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-02-25 18:26]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 18:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 18:26]
S4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2005-03-30 09:40]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 23:29:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-20 23:31:05
C:\ComboFix2.txt ... 2007-12-19 15:25
.
2007-11-25 13:56:40 --- E O F ---



# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2738 (20071220)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=fc4c453278f65d4691e23c8ae515c04f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-21 09:00:56
# local_time=2007-12-21 01:00:56 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=290442
# found=0
# scan_time=2854
# nod_component=NOD32MOD_WINNT_ENGLISH_BASE Build:0x11081617 (NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base)
# nod_component=NOD32MOD_WINNT_ENGLISH_INET Build:0x11081617 (NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support)
# nod_component=NOD32MOD_WINNT_ENGLISH_STANDARD Build:0x11081617 (NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component)





Fresh hijackthis log....Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:52 AM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888485912
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195888427068
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...174/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{471A4492-B5F6-4E79-BB98-46A358547060}: NameServer = 202.96.128.166 202.96.134.133
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

--
End of file - 6836 bytes

#14 wayjing

wayjing
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:china
  • Local time:07:15 PM

Posted 24 December 2007 - 12:24 AM

Hello Yourhighness,just wondering if you closed this post or maybe you're very busy for the holidays,still have computer problems. thank you and happy holidays wayjing

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:15 PM

Posted 24 December 2007 - 02:31 AM

Hi wayjing,

awoops - sorry. Seems I forgot to reply to you. I am waiting for feedback from a colleague regarding some files on your pc. Could you let me know what kind of problems you still seem to have? I am at work now and will be gone to my mom's over the holidays, but will still have Internet. Hope to have a reply to you soon.

For now, please let me know what problems you are still facing. Thanks and merry x-mas :thumbsup:

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users