Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen With Yellow Word "spyware Detected!"


  • This topic is locked This topic is locked
5 replies to this topic

#1 hkjoey81

hkjoey81

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:hong kong
  • Local time:08:34 PM

Posted 29 March 2008 - 03:57 AM

Dear all expert!!

Few days ago I was trying to install a program for making ring tone on iphone but after I install the program and restart the next day, my wallpaper were change to blue screen with "Warning! Spyware detected on your computer! install an antivius or spyware remover to clean your comptuer". I have read a lot of the forum information and download combofix and hijackthis, the below is the log file, please HELP!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:58 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashGet Network\Flashget\FlashGet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\joey\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\Flashget\ComDlls\bhoCATCH.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: (no name) - {25D3D77C-FD27-4C17-B396-9F5BD4776E31} - C:\WINDOWS\system32\adsn.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [RavMont] C:\WINDOWS\system32\MP3.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - Startup: iPhoneRingToneMaker.lnk = ?
O4 - Startup: VP-EYE.lnk = C:\VP-EYE\control\vpeyev4.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier 快速啟動.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &妏蚚辦陬(FlashGet)狟婥 - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: &妏蚚辦陬(FlashGet)狟婥窒蟈諉 - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?df0c5a11a4d942c8ab44dfacafb02c4a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?df0c5a11a4d942c8ab44dfacafb02c4a
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: N|O﹐eRA - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2292AF2D-F493-46D2-9EE1-DADED1D10998} (TOGO PACIFIC Control) - http://218.189.138.226:8000/tatming/report/Printipz.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {ECCBA953-80E5-11D3-9285-0080ADB811C5} (safeInput Class) - https://pbank.95559.com.cn/personbank/ocx/safe.cab
O20 - Winlogon Notify: sysfldr - C:\WINDOWS\SYSTEM32\sysfldr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9252 bytes




ComboFix 08-03-27.3 - joey 2008-03-29 12:39:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.1522 [GMT 8:00]
Running from: C:\Documents and Settings\joey\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Program Files\inetget2
C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\BM935eb8fb.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\Cxw11.sys
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\gdrfrnbw.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\glwjindw.dll
C:\WINDOWS\system32\iesearch.dll
C:\WINDOWS\system32\jymapflt.dll
C:\WINDOWS\system32\opnnomn.dll
C:\WINDOWS\system32\qcftmlbo.dll
C:\WINDOWS\system32\rophjrct.dll
C:\WINDOWS\system32\wdsdqqry.ini
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xmigbmaw.dll
C:\WINDOWS\system32\yrqqdsdw.dll
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CXW11
-------\Legacy_{FBE1D620-5418-4AAE-A0F0-316D590663A1}
-------\Service_{FBE1D620-5418-4aae-A0F0-316D590663A1}
-------\Service_Cxw11
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-29 12:35 . 2008-03-29 12:35 269,334 --a------ C:\WINDOWS\system32\nmpcretorqtkj.bmp
2008-03-29 12:08 . 2008-03-29 12:08 269,334 --a------ C:\WINDOWS\system32\dobeton.bmp
2008-03-29 11:21 . 2008-03-29 11:48 1,508,810 ---hs---- C:\WINDOWS\system32\cbbsfawa.ini
2008-03-29 11:18 . 2008-03-29 11:18 269,334 --a------ C:\WINDOWS\system32\belgfatormdgf.bmp
2008-03-26 23:25 . 2008-03-26 23:27 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-26 23:24 . 2008-03-26 23:24 <DIR> d-------- C:\Program Files\nvcoi
2008-03-26 23:19 . 2008-03-26 23:19 <DIR> d-------- C:\Program Files\CPV
2008-03-26 22:54 . 2008-03-29 11:19 1,588,742 ---hs---- C:\WINDOWS\system32\amfmjdlt.ini
2008-03-26 22:50 . 2008-03-26 22:50 269,334 --a------ C:\WINDOWS\system32\epojmdgnmdsjad.bmp
2008-03-26 00:54 . 2008-03-26 00:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-26 00:36 . 2008-03-26 00:36 269,334 --a------ C:\WINDOWS\system32\adsretcj.bmp
2008-03-26 00:28 . 2006-02-28 20:00 88,064 --a------ C:\WINDOWS\system32\adsn.dll
2008-03-26 00:27 . 2008-03-26 00:27 269,334 --a------ C:\WINDOWS\system32\mlsfmpgrqtgn.bmp
2008-03-26 00:07 . 2008-03-26 00:39 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-03-26 00:07 . 2008-03-26 00:07 <DIR> d-------- C:\Documents and Settings\joey\Application Data\Anti-Virus-Pro.com
2008-03-26 00:03 . 2008-03-26 00:03 269,334 --a------ C:\WINDOWS\system32\sjatgrqtojqdon.bmp
2008-03-25 23:31 . 2008-03-25 23:31 269,334 --a------ C:\WINDOWS\system32\idsjqdgf.bmp
2008-03-25 23:31 . 2008-03-26 22:51 13 --ah----- C:\WINDOWS\system32\mmax_goog.ini
2008-03-25 23:13 . 2008-03-25 23:13 269,334 --a------ C:\WINDOWS\system32\knilgjqpkn.bmp
2008-03-25 23:13 . 2008-03-26 00:07 25,088 --a------ C:\vwhfxvxv.exe
2008-03-25 23:13 . 2008-03-25 23:13 18,432 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-03-25 23:13 . 2008-03-26 00:07 6,144 --a------ C:\kbvxxo.exe
2008-03-25 23:13 . 2008-03-26 00:08 2 --a------ C:\-1871868984
2008-03-25 23:12 . 2008-03-27 06:36 37,376 -ra------ C:\WINDOWS\mrofinu1535.exe
2008-03-18 01:39 . 2008-03-17 23:39 66,560 --a------ C:\WINDOWS\b155.exe
2008-03-17 22:21 . 2008-03-17 22:21 268 --ah----- C:\sqmdata07.sqm
2008-03-17 22:21 . 2008-03-17 22:21 244 --ah----- C:\sqmnoopt08.sqm
2008-03-17 22:21 . 2008-03-17 22:21 244 --ah----- C:\sqmnoopt07.sqm
2008-03-17 22:21 . 2008-03-17 22:21 232 --ah----- C:\sqmdata08.sqm
2008-03-16 19:16 . 2008-03-16 19:16 <DIR> d-------- C:\Program Files\ZiPhone
2008-03-16 19:03 . 2008-03-16 19:03 <DIR> d-------- C:\Program Files\iPhoneRingToneMaker
2008-03-16 19:03 . 2008-03-21 23:28 <DIR> d-------- C:\Documents and Settings\joey\Application Data\iPhoneRingToneMaker
2008-03-06 21:49 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-06 21:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-06 21:49 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-06 00:39 . 2008-03-06 00:40 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 00:39 . 2008-03-06 00:39 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 00:39 . 2008-03-06 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-05 05:32 . 2008-03-05 03:32 105,984 --a------ C:\WINDOWS\b152.exe
2008-03-04 00:12 . 2008-03-04 00:12 <DIR> d-------- C:\Program Files\iPod
2008-03-03 00:26 . 2008-03-02 22:26 73,728 --a------ C:\WINDOWS\b153.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 04:44 --------- d-----w C:\Program Files\lg_fwupdate
2008-03-25 16:46 --------- d-----w C:\Program Files\Canon
2008-03-25 16:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 16:51 --------- d-----w C:\Documents and Settings\joey\Application Data\BitTorrent
2008-03-05 16:40 --------- d-----w C:\Program Files\MSN Messenger
2008-03-03 16:13 --------- d-----w C:\Program Files\iTunes
2008-03-03 16:12 --------- d-----w C:\Program Files\QuickTime
2008-03-02 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-02-18 14:54 --------- d-----w C:\Documents and Settings\joey\Application Data\Sports Interactive
2008-02-18 14:53 --------- d--h--w C:\Program Files\Zero G Registry
2008-02-18 14:51 --------- d-----w C:\Program Files\Sports Interactive
2008-02-16 07:54 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-02-16 07:47 --------- d-----w C:\Program Files\WinAVI Video Converter
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2008-03-26 23:19 51200 --a------ C:\Program Files\CPV\CPV7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:24 57344 --a------ C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25D3D77C-FD27-4C17-B396-9F5BD4776E31}]
2006-02-28 20:00 88064 --a------ C:\WINDOWS\system32\adsn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
2007-06-29 14:03 77824 --a------ C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 07:01 43008]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-12 10:25 1961984]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-26 23:24 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-08 09:11 9129984]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-11 03:12 90112]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 20:00 59392]
"RemoteControl"="D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 12:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 10:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 02:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-14 01:33 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 09:52 185896]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23 132624]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-02-07 17:34 57344]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-15 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-15 14:57 95296]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [2008-03-25 23:13 18432]
"RavMont"="C:\WINDOWS\system32\MP3.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\joey\Start Menu\Programs\Startup\
iPhoneRingToneMaker.lnk - C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe [2008-02-05 05:43:30 1309184]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier 快速啟動.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysfldr]
sysfldr.dll 2007-04-16 23:52 12288 C:\WINDOWS\system32\sysfldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\eREAD6.0\\eREAD6.0\\eREAD_Cookcase.exe"=
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 16:21]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-07-11 13:46]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 19:39]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 01:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-28 00:05:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-29 04:37:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-29 04:44:34 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-26 15:25:02 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 12:44:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sysfldr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2008-03-29 12:46:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 04:46:56
Pre-Run: 16,385,720,320 bytes free
Post-Run: 16,579,530,752 bytes free
.
2008-03-13 19:00:56 --- E O F ---
:thumbsup:

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 PM

Posted 31 March 2008 - 07:10 AM

Hello and welcome to BleepingComputer. :thumbsup:

I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.
  • Open Microsoft AntiSpyware.
  • Click on Options, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right-click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Then....

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\nmpcretorqtkj.bmp
C:\WINDOWS\system32\dobeton.bmp
C:\WINDOWS\system32\cbbsfawa.ini
C:\WINDOWS\system32\belgfatormdgf.bmp
C:\WINDOWS\system32\amfmjdlt.ini
C:\WINDOWS\system32\epojmdgnmdsjad.bmp
C:\WINDOWS\system32\adsretcj.bmp
C:\WINDOWS\system32\mlsfmpgrqtgn.bmp
C:\Documents and Settings\joey\Application Data\Anti-Virus-Pro.com
C:\WINDOWS\system32\sjatgrqtojqdon.bmp
C:\WINDOWS\system32\idsjqdgf.bmp
C:\WINDOWS\system32\mmax_goog.ini
C:\WINDOWS\system32\knilgjqpkn.bmp
C:\vwhfxvxv.exe
C:\kbvxxo.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\system32\adsn.dll
C:\WINDOWS\system32\sysfldr.dll
C:\WINDOWS\system32\MP3.exe

Folder::
C:\Program Files\nvcoi
C:\Program Files\AntiVirusPro

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25D3D77C-FD27-4C17-B396-9F5BD4776E31}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvcoi"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavMont"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysfldr]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Along with the CFScript log....

Please download SmitfraudFix © S!Ri to your desktop.

Double-click SmitFraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Hi there, stranger!

#3 hkjoey81

hkjoey81
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:hong kong
  • Local time:08:34 PM

Posted 04 April 2008 - 06:29 AM

Dear Rawe:

Thank you so much for your help. I will try what you have said in your last post. thank you again.

From Joey

#4 hkjoey81

hkjoey81
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:hong kong
  • Local time:08:34 PM

Posted 04 April 2008 - 06:50 AM

Dear Rawe:

I'm running on window defender which I guess is similar to microsoft spyware detector. So I have turn off the real time protection like you have told me to and run the comfofix and smit. Please see below is the script.

Once again, thank you so much for your help!!!



ComboFix 08-03-27.3 - joey 2008-04-04 19:34:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.1444 [GMT 8:00]
Running from: C:\Documents and Settings\joey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joey\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\joey\Application Data\Anti-Virus-Pro.com
C:\kbvxxo.exe
C:\vwhfxvxv.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\adsn.dll
C:\WINDOWS\system32\adsretcj.bmp
C:\WINDOWS\system32\amfmjdlt.ini
C:\WINDOWS\system32\belgfatormdgf.bmp
C:\WINDOWS\system32\cbbsfawa.ini
C:\WINDOWS\system32\dobeton.bmp
C:\WINDOWS\system32\epojmdgnmdsjad.bmp
C:\WINDOWS\system32\idsjqdgf.bmp
C:\WINDOWS\system32\knilgjqpkn.bmp
C:\WINDOWS\system32\mlsfmpgrqtgn.bmp
C:\WINDOWS\system32\mmax_goog.ini
C:\WINDOWS\system32\MP3.exe
C:\WINDOWS\system32\nmpcretorqtkj.bmp
C:\WINDOWS\system32\sjatgrqtojqdon.bmp
C:\WINDOWS\system32\sysfldr.dll
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiVirusPro
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\vwhfxvxv.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\adsn.dll
C:\WINDOWS\system32\adsretcj.bmp
C:\WINDOWS\system32\amfmjdlt.ini
C:\WINDOWS\system32\belgfatormdgf.bmp
C:\WINDOWS\system32\cbbsfawa.ini
C:\WINDOWS\system32\dobeton.bmp
C:\WINDOWS\system32\epojmdgnmdsjad.bmp
C:\WINDOWS\system32\idsjqdgf.bmp
C:\WINDOWS\system32\knilgjqpkn.bmp
C:\WINDOWS\system32\mlsfmpgrqtgn.bmp
C:\WINDOWS\system32\mmax_goog.ini
C:\WINDOWS\system32\nmpcretorqtkj.bmp
C:\WINDOWS\system32\sjatgrqtojqdon.bmp
C:\WINDOWS\system32\sysfldr.dll
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-04 18:44 . 2008-04-04 18:44 269,334 --a------ C:\WINDOWS\system32\nalsjihcf.bmp
2008-04-01 09:37 . 2008-04-01 09:37 244 --ah----- C:\sqmnoopt09.sqm
2008-04-01 09:37 . 2008-04-01 09:37 232 --ah----- C:\sqmdata09.sqm
2008-04-01 09:31 . 2008-04-01 09:31 269,334 --a------ C:\WINDOWS\system32\dkjehcrelkj.bmp
2008-03-31 15:56 . 2008-03-31 15:56 269,334 --a------ C:\WINDOWS\system32\apkrilsrapkbap.bmp
2008-03-29 18:41 . 2008-03-29 18:41 269,334 --a------ C:\WINDOWS\system32\fatgjid.bmp
2008-03-29 18:05 . 2008-03-29 18:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-29 18:05 . 2008-03-29 18:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 18:05 . 2008-03-29 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-29 17:11 . 2008-03-29 17:11 269,334 --a------ C:\WINDOWS\system32\epgrmdobqhkjad.bmp
2008-03-29 17:07 . 2008-03-29 17:07 4,336 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 16:32 . 2008-03-29 16:32 <DIR> d-------- C:\Program Files\FlashGet Network
2008-03-29 16:32 . 2008-03-29 17:03 <DIR> d-------- C:\Documents and Settings\joey\Application Data\BITS
2008-03-29 12:44 . 2008-03-29 12:44 269,334 --a------ C:\WINDOWS\system32\fqlobad.bmp
2008-03-26 23:25 . 2008-03-29 17:14 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-26 23:19 . 2008-03-29 18:30 <DIR> d-------- C:\Program Files\CPV
2008-03-26 00:54 . 2008-03-26 00:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-26 00:07 . 2008-03-26 00:07 <DIR> d-------- C:\Documents and Settings\joey\Application Data\Anti-Virus-Pro.com
2008-03-25 23:13 . 2008-03-25 23:13 18,432 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-03-25 23:13 . 2008-03-26 00:08 2 --a------ C:\-1871868984
2008-03-17 22:21 . 2008-03-17 22:21 268 --ah----- C:\sqmdata07.sqm
2008-03-17 22:21 . 2008-03-17 22:21 244 --ah----- C:\sqmnoopt08.sqm
2008-03-17 22:21 . 2008-03-17 22:21 244 --ah----- C:\sqmnoopt07.sqm
2008-03-17 22:21 . 2008-03-17 22:21 232 --ah----- C:\sqmdata08.sqm
2008-03-16 19:16 . 2008-03-16 19:16 <DIR> d-------- C:\Program Files\ZiPhone
2008-03-16 19:03 . 2008-03-16 19:03 <DIR> d-------- C:\Program Files\iPhoneRingToneMaker
2008-03-16 19:03 . 2008-03-21 23:28 <DIR> d-------- C:\Documents and Settings\joey\Application Data\iPhoneRingToneMaker
2008-03-06 21:49 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-06 21:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-06 21:49 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-06 00:39 . 2008-03-06 00:40 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 00:39 . 2008-03-06 00:39 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 00:39 . 2008-03-06 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-04 00:12 . 2008-03-04 00:12 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 11:38 --------- d-----w C:\Program Files\lg_fwupdate
2008-03-29 15:09 --------- d-----w C:\Documents and Settings\joey\Application Data\BitTorrent
2008-03-25 16:46 --------- d-----w C:\Program Files\Canon
2008-03-25 16:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 16:40 --------- d-----w C:\Program Files\MSN Messenger
2008-03-03 16:13 --------- d-----w C:\Program Files\iTunes
2008-03-03 16:12 --------- d-----w C:\Program Files\QuickTime
2008-03-02 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-02-18 14:54 --------- d-----w C:\Documents and Settings\joey\Application Data\Sports Interactive
2008-02-18 14:53 --------- d--h--w C:\Program Files\Zero G Registry
2008-02-18 14:51 --------- d-----w C:\Program Files\Sports Interactive
2008-02-16 07:54 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-02-16 07:47 --------- d-----w C:\Program Files\WinAVI Video Converter
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-29_12.46.48.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-29 10:05:27 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-03-29 10:05:27 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-03-29 10:05:27 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-03-29 10:05:27 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2008-03-29 04:44:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-04 09:30:52 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-29 04:44:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-04 09:30:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-29 04:44:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-04 09:30:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-11 05:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 04:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 04:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-12-14 03:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:24 57344 --a------ C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
2007-06-29 14:03 77824 --a------ C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 07:01 43008]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-12 10:25 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-08 09:11 9129984]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-11 03:12 90112]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 20:00 59392]
"RemoteControl"="D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 12:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 10:06 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 02:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-14 01:33 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 09:52 185896]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23 132624]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-02-07 17:34 57344]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-15 14:57 63040]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-15 14:57 95296]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [2008-03-25 23:13 18432]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\joey\Start Menu\Programs\Startup\
iPhoneRingToneMaker.lnk - C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe [2008-02-05 05:43:30 1309184]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier 快速啟動.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\eREAD6.0\\eREAD6.0\\eREAD_Cookcase.exe"=
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"=

R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 16:21]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-07-11 13:46]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 19:39]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 01:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-04 11:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-04 11:40:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 19:38:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2008-04-04 19:41:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 11:41:28
ComboFix2.txt 2008-03-29 04:46:59
Pre-Run: 16,984,567,808 bytes free
Post-Run: 16,980,160,512 bytes free
.
2008-04-04 09:58:56 --- E O F ---


SmitFraudFix v2.309

Scan done at 19:46:48.37, 04/04/2008 Fri
Run from C:\Documents and Settings\joey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

遙遙遙遙遙遙遙遙遙遙遙遙 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\cmd.exe

遙遙遙遙遙遙遙遙遙遙遙遙 hosts


遙遙遙遙遙遙遙遙遙遙遙遙 C:\


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\Web


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system32


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system32\LogFiles


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\joey


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\joey\Application Data


遙遙遙遙遙遙遙遙遙遙遙遙 Start Menu


遙遙遙遙遙遙遙遙遙遙遙遙


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Program Files


遙遙遙遙遙遙遙遙遙遙遙遙 Corrupted keys


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop Components



遙遙遙遙遙遙遙遙遙遙遙遙 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


遙遙遙遙遙遙遙遙遙遙遙遙 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


遙遙遙遙遙遙遙遙遙遙遙遙 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


遙遙遙遙遙遙遙遙遙遙遙遙 Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


遙遙遙遙遙遙遙遙遙遙遙遙 Rustock



遙遙遙遙遙遙遙遙遙遙遙遙 DNS

Description: Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.11.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{306BFCC3-79EF-4C02-AC20-728918128E8F}: DhcpNameServer=192.168.11.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{306BFCC3-79EF-4C02-AC20-728918128E8F}: DhcpNameServer=192.168.11.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{306BFCC3-79EF-4C02-AC20-728918128E8F}: DhcpNameServer=192.168.11.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.11.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.11.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.11.1


遙遙遙遙遙遙遙遙遙遙遙遙 Scanning for wininet.dll infection


遙遙遙遙遙遙遙遙遙遙遙遙 End

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 PM

Posted 04 April 2008 - 07:06 AM

Hello again. :blink:

Yeap, sorry about that, I mistakenly gave you the wrong instructions for disabling realtime protection.. Windows Defender was Microsoft Anti-Spyware before.

Again, please open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\nalsjihcf.bmp
C:\WINDOWS\system32\dkjehcrelkj.bmp
C:\WINDOWS\system32\apkrilsrapkbap.bmp
C:\WINDOWS\system32\fatgjid.bmp
C:\WINDOWS\system32\epgrmdobqhkjad.bmp


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

-------

Then..

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :thumbsup:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 PM

Posted 14 April 2008 - 02:50 PM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this topic reopened, please PM me.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users