Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by kavo.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 madymoon

madymoon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 04 November 2008 - 11:16 AM

I think i got the virus from a pendrive, although i have scan the pendrive using avast before opening it but i still get infected by the virus. Previously i was able to show hidden files but after i got infected by the virus it won't let me show hidden files anymore. I also having trouble entering my c: drive, every time i double click my c: drive it pop up a window message saying The C:\ application cannot be run in win32 mode. Thanks in advance.

I'll post my HijackThis log here

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:19 PM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B008FD-D750-4C77-BFF8-D1CCB5D5A8E3}: NameServer = 202.188.1.5,202.188.0.133
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8100 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 08 November 2008 - 12:23 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 madymoon

madymoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 08 November 2008 - 09:17 PM

Hi Panda thanks for your reply. So far I haven't make any changes to my computer since the day i got infected. I'll attach the file required and paste the log below.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-09 10:12:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA9EDF618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA9EDF4D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA9EDF9B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA9EDF0AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA9EDF5AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA9EDEFEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA9EDF050]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA9EDF6CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA9EDF68E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA9EDF80E]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[924] kernel32.dll!SetUnhandledExceptionFilter 7C84480D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[1148] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[1148] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbhub \Device\00000077 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000078 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000079 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

---- EOF - GMER 1.0.14 ----

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 09 November 2008 - 09:30 AM

Hello.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "kava" -> %SystemRoot%\system32\kavo.exe [C:\WINDOWS\system32\kavo.exe]
    < Run [HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "kava" -> %SystemRoot%\system32\kavo.exe [C:\WINDOWS\system32\kavo.exe]
    < Drives with AutoRun files > -> 
    NY -> C:\autorun.inf [;Kw3ioAia | [AutoRun] |; | open=yjkjfuo.cmd |;Up3s2La3wDeIaq74dakdwi3id9q5wqfskkL0dw8d2lL | shell\open\Command=yjkjfuo.cmd |;Kj3sq97eadsKo5m2SD4rsi1dewwa3kLfLw00sDwkK2CXk4Dj3iq5rfl313dIS3 | shell\open\Default=1 |;DdSK3wKk33liq2s | shell\explore\Command=yjkjfuo.cmd |;idd8l2i9oono414OlajriA5JeaDk4s3i2s4c3kJqo2lsw | ] -> %SystemDrive%\autorun.inf [ NTFS ]
    NY -> F:\autorun.inf [;Kw3ioAia | [AutoRun] |; | open=yjkjfuo.cmd |;Up3s2La3wDeIaq74dakdwi3id9q5wqfskkL0dw8d2lL | shell\open\Command=yjkjfuo.cmd |;Kj3sq97eadsKo5m2SD4rsi1dewwa3kLfLw00sDwkK2CXk4Dj3iq5rfl313dIS3 | shell\open\Default=1 |;DdSK3wKk33liq2s | shell\explore\Command=yjkjfuo.cmd |;idd8l2i9oono414OlajriA5JeaDk4s3i2s4c3kJqo2lsw | ] -> F:\autorun.inf [ NTFS ]
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    NY -> \{8eef945f-b223-11dc-ac8b-806d6172696f}\Shell\AutoRun\command\\"" -> %SystemDrive%\yjkjfuo.cmd [C:\yjkjfuo.cmd]
    YN -> \{8eef945f-b223-11dc-ac8b-806d6172696f} -> 
    YN -> \{cf94eb30-a438-11dd-8a00-005056c00008} -> 
    YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cf94eb30-a438-11dd-8a00-005056c00008}\Shell\AutoRun\command -> 
    NY -> \{cf94eb30-a438-11dd-8a00-005056c00008}\Shell\AutoRun\command\\"" -> F:\yjkjfuo.cmd [F:\yjkjfuo.cmd]
    NY -> \{cf94eb30-a438-11dd-8a00-005056c00008}\Shell\explore\Command\\"" -> F:\yjkjfuo.cmd [F:\yjkjfuo.cmd]
    YN -> \{cf94eb30-a438-11dd-8a00-005056c00008} -> 
    YN -> \{d64a6861-dbce-11dc-892b-001d7da0de32} -> 
    [Files/Folders - Created Within 30 Days]
    NY -> kavo0.dll -> %SystemRoot%\System32\kavo0.dll
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Re-enable your protection at this point.

Please post back with:
-the OTScanIt fix log
-the Kaspersky log
-a new OTScanIt log (leave the settings at default)

With Regards,
The Panda

#5 madymoon

madymoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 09 November 2008 - 12:35 PM

Hello panda,

I have a small problem running Run Fix with OTScanIt, if i click on the Run Fix button the program will hang and on the task manager under application tab the program is shown not responding. How long is the Run fix suppose to run? because i have wait about 1/2 hour but there is no log appear or option to restart. Thanks.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 09 November 2008 - 12:39 PM

Hello.

It should take only a moment.

Please try closing it and trying again. If it still hangs try in Safe Mode (you will need to save the script first). If OTScanIt runs propersly allow it to boot your machine back into normal mode.

How to Boot into Safe Mode
Print out all intructions to be carried out in Safe Mode, or save them onto your desktop as you will not be able to access the forum where you are recieveing help.

If you are unfimiliar with the boot process, please jot down the boot instructions.
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

If you are still not able to run OTScanit, we can try something else.

With Regards,
The Panda

Edited by PropagandaPanda, 09 November 2008 - 12:41 PM.


#7 madymoon

madymoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 10 November 2008 - 08:39 AM

I tried to run OTScanIt in safe mode but the outcome is still the same the program is not responding.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 10 November 2008 - 11:52 AM

Hello.

Let's try OTMoveIt instead.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    
    :processes
    explorer.exe
    
    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kava"=-
    [HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kava"=-
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cf94eb30-a438-11dd-8a00-005056c00008}]
    
    :files
    C:\WINDOWS\system32\kavo.exe
    %SystemRoot%\System32\kavo0.dll
    F:\yjkjfuo.cmd
    
    :commands
    [emptytemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Complete the rest of the steps as they are.

Instead of a new OTScanIt log, take an OTViewIt log.

Download and Run OTViewIt
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
  • Check both the Scan All Users and Use Whitelist checkboxes. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized. A new Extra.txt will not be created if one exists already.
Copy and Paste the logs into your next reply.
Only OTViewIt.txt is needed.

With Regards,
The Panda

#9 madymoon

madymoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 11 November 2008 - 07:17 AM

Hi Panda,

I run both of the program and below are the logs.

OTMoveIt3 log

========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kava not found.
Registry value HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kava not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cf94eb30-a438-11dd-8a00-005056c00008}\\ deleted successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\kavo.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\kavo0.dll
C:\WINDOWS\System32\kavo0.dll NOT unregistered.
C:\WINDOWS\System32\kavo0.dll moved successfully.
File/Folder F:\yjkjfuo.cmd not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\vmware-vmount.log scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11112008_200308

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_b4.dat not found!
File move failed. C:\WINDOWS\temp\vmware-vmount.log scheduled to be moved on reboot.



OTViewIt log


OTViewIt logfile created on: 11/11/2008 8:10:34 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Chan\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.42 Mb Total Physical Memory | 637.46 Mb Available Physical Memory | 62.90% Memory free
2.38 Gb Paging File | 2.06 Gb Available in Paging File | 86.53% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 3.74 Gb Free Space | 2.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 434.25 Gb Free Space | 93.23% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-533CC4FE33
Current User Name: Chan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/07/19 22:25:06 | 00,016,056 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2008/07/19 22:38:28 | 00,147,640 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
[2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2003/06/20 21:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2005/12/15 20:42:10 | 00,217,088 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
[2005/12/15 20:28:52 | 00,245,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
[2005/12/15 20:42:10 | 00,135,168 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
[2005/12/15 20:42:10 | 00,106,496 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
[2008/07/19 22:38:04 | 00,250,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[2008/07/23 22:25:45 | 00,348,344 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[2004/08/04 07:56:56 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\NOTEPAD.EXE
[2007/07/19 10:33:44 | 00,141,848 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
[2007/07/19 10:33:32 | 00,166,424 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2007/07/19 10:33:40 | 00,137,752 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
[2007/07/05 16:08:46 | 16,380,416 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
[2007/07/19 10:33:42 | 00,252,440 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
[2004/11/02 20:24:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2008/07/19 22:38:34 | 00,078,008 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2007/09/25 01:11:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[2006/06/15 12:36:18 | 00,229,376 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[2005/03/08 12:42:09 | 00,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[2006/06/27 16:21:14 | 01,449,984 | ---- | M] (Time Information Services Ltd.) -- C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
[2007/11/27 18:13:44 | 00,385,024 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
[2006/06/09 10:37:18 | 00,471,552 | ---- | M] (Nokia Corporation) -- C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
[2006/02/24 17:28:02 | 02,334,720 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
[2006/02/24 17:28:06 | 02,478,080 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
[2004/08/04 07:56:56 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\notepad.exe
[2007/07/30 19:19:16 | 00,053,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/11/11 07:29:52 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/19 22:25:06 | 00,016,056 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2008/07/19 22:38:28 | 00,147,640 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2008/07/19 22:38:04 | 00,250,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
[2008/07/23 22:25:45 | 00,348,344 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
[2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2007/12/25 14:47:31 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2003/06/20 21:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2007/04/13 21:09:56 | 00,792,112 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
[2007/05/08 19:47:22 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
[2008/09/23 22:37:22 | 00,015,872 | ---- | M] () -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService [On_Demand | Stopped])
[2003/06/20 21:00:00 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/06/29 08:01:48 | 00,092,792 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
[2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- (ServiceLayer [On_Demand | Running])
[2006/11/20 16:51:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2005/12/15 20:42:10 | 00,217,088 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService [Auto | Running])
[2005/12/15 20:42:10 | 00,106,496 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP [Auto | Running])
[2005/12/15 20:28:52 | 00,245,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe -- (vmount2 [Auto | Running])
[2005/12/15 20:42:10 | 00,135,168 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service [Auto | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2005/10/06 18:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])

========== Driver Services ==========

[2008/07/19 22:32:15 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2008/07/19 22:37:42 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
[2008/07/19 22:37:21 | 00,094,416 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2008/07/19 22:33:42 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2008/07/19 22:35:18 | 00,078,416 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
[2008/07/19 22:32:36 | 00,042,912 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2007/12/24 15:45:50 | 00,015,600 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys -- (gdrv [On_Demand | Stopped])
[2008/11/09 09:52:29 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [System | Running])
[2005/12/15 20:42:12 | 00,022,016 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon [Auto | Running])
[2006/11/20 16:48:50 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2007/07/17 09:58:00 | 05,741,088 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm [On_Demand | Running])
[2007/07/18 19:26:04 | 04,547,584 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2004/08/03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2004/08/04 05:59:52 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm [On_Demand | Stopped])
[2006/05/29 08:26:36 | 00,008,704 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (Nokia USB Generic [On_Demand | Stopped])
[2006/05/29 08:26:36 | 00,013,312 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (Nokia USB Modem [On_Demand | Stopped])
[2006/05/29 08:26:38 | 00,127,488 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (Nokia USB Phone Parent [On_Demand | Stopped])
[2006/05/29 08:26:36 | 00,013,312 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (Nokia USB Port [On_Demand | Stopped])
[2007/06/29 08:01:48 | 00,042,512 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
[2001/08/23 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/08 07:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2007/08/07 17:40:38 | 00,098,944 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
[2007/11/13 18:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2008/09/23 22:37:40 | 00,025,216 | ---- | M] (The OpenVPN Project) -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901 [On_Demand | Running])
[2005/12/15 20:42:12 | 00,009,600 | R--- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter [On_Demand | Running])
[2005/12/15 20:42:12 | 00,023,424 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge [Auto | Running])
[2005/12/15 20:42:12 | 00,015,616 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif [Auto | Running])
[2005/12/15 20:42:10 | 00,009,216 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport [Auto | Running])
[2005/12/15 20:42:12 | 00,021,888 | R--- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmusb.sys -- (vmusb [On_Demand | Stopped])
[2005/12/15 20:42:10 | 00,094,848 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86 [Auto | Running])
[2005/12/15 20:28:54 | 00,011,520 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys -- (vstor2 [Auto | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (HKLM) -- C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (BitComet)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=ALCMTR.EXE (Realtek Semiconductor Corp.)
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
"PCSuiteTrayApplication"=C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup (Nokia)
"Persistence"=C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SkyTel"=SkyTel.EXE (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (Time Information Services Ltd.)

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (Time Information Services Ltd.)

========== (O4) Startup Folders ==========

[2006/01/25 18:42:22 | 00,061,440 | ---- | M] () -- C:\Documents and Settings\Chan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
[2007/11/27 18:13:44 | 00,385,024 | ---- | M] (Sony Corporation) -- C:\Documents and Settings\Chan\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\.DEFAULT\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-18\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-19\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-20\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FF FF FF FF [binary data]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FF FF FF FF [binary data]

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [2007/09/25 01:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/06/20 21:00:00 | 00,040,512 | ---- | M] (Microsoft Corporation)
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: Button: BitComet -- %ProgramFiles%\BitComet\tools\BitCometBHO_1.1.11.30.dll [2007/12/05 11:40:02 | 00,464,184 | ---- | M] (BitComet)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\Network Diagnostic\xpnetdiag.exe [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 01:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/06/20 21:00:00 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 01:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/06/20 21:00:00 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03

========== (O17) DNS Name Servers ==========

{44047D8F-3AE6-43A8-96D9-028F62EBA0BF} (Servers: | Description: )
{A2B008FD-D750-4C77-BFF8-D1CCB5D5A8E3} (Servers: 202.188.1.5,202.188.0.133 | Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC)
{A8452264-BD0D-443E-95BC-C043ECC3321A} (Servers: | Description: )
{F5332F05-9CAA-42AE-B6F1-E6E27267AB6B} (Servers: | Description: )

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 0

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/12/24 14:25:38 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf [;Kw3ioAia | [AutoRun] | ; | open=yjkjfuo.cmd | ;Up3s2La3wDeIaq74dakdwi3id9q5wqfskkL0dw8d2lL | shell\open\Command=yjkjfuo.cmd | ;Kj3sq97eadsKo5m2SD4rsi1dewwa3kLfLw00sDwkK2CXk4Dj3iq5rfl313dIS3 | shell\open\Default=1 | ;DdSK3wKk33liq2s | shell\explore\Command=yjkjfuo.cmd | ;idd8l2i9oono414OlajriA5JeaDk4s3i2s4c3kJqo2lsw | ]
[2008/11/05 08:00:41 | 00,000,309 | RHS- | M] () -- C:\autorun.inf -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2008/11/11 20:03:08 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2008/11/11 07:29:44 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTViewIt.exe
[2008/11/11 07:28:53 | 00,334,848 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTMoveIt3.exe
[2008/11/09 23:02:59 | 00,000,000 | ---D | C] -- C:\_OTScanIt
[2008/11/09 22:51:15 | 00,132,597 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Flash_Disinfector.exe
[2008/11/09 09:52:30 | 00,000,345 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/11/09 09:52:29 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/11/09 09:52:29 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2008/11/09 09:52:29 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/11/09 09:52:29 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/11/09 09:52:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\gmer
[2008/11/09 09:34:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\OTScanIt2
[2008/11/09 09:33:12 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\gmer.zip
[2008/11/09 09:31:40 | 00,590,889 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\OTScanIt2.exe
[2008/11/06 22:29:54 | 01,090,333 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\JLS_Sysdoc.pdf
[2008/11/06 22:28:54 | 00,113,662 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.odt
[2008/11/06 22:28:25 | 00,237,795 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.pdf
[2008/11/04 23:51:36 | 00,000,000 | ---D | C] -- C:\HijackThis
[2008/11/04 22:45:52 | 00,114,047 | RHS- | C] () -- C:\yjkjfuo.cmd
[2008/11/04 22:45:52 | 00,000,309 | RHS- | C] () -- C:\autorun.inf
[2008/10/28 23:46:04 | 01,280,426 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Chan\Desktop\mbam-setup.exe
[2008/10/28 00:16:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\UAT
[2008/10/27 18:31:43 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2008/10/27 18:31:43 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2008/10/19 22:26:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\My Documents\ISA videos
[2008/10/18 18:45:46 | 00,393,728 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Isa Server.....How To Install and Configure ISA Server 2006.doc
[2008/10/17 21:07:07 | 00,004,340 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\kenchan(2).rar
[2008/10/17 00:48:49 | 00,056,523 | ---- | C] () -- C:\Documents and Settings\Chan\My Documents\ss_payment.JPG
[2008/10/17 00:13:18 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Microsoft Isa 2006, Training video.doc
[2008/10/15 23:39:32 | 50,000,000 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Win2008-Training.part01.rar

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2008/11/11 20:05:45 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/11 20:05:43 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/11 20:04:37 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/11/11 20:04:37 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008/11/11 08:00:29 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/11/11 08:00:29 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/11/11 07:29:52 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTViewIt.exe
[2008/11/11 07:28:59 | 00,334,848 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTMoveIt3.exe
[2008/11/10 23:46:17 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/10 23:46:11 | 00,157,184 | ---- | M] () -- C:\Documents and Settings\Chan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/10 21:22:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/11/10 21:22:32 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/11/10 07:52:36 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/11/10 07:52:36 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/11/10 01:19:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/11/10 01:19:32 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/11/10 01:01:20 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008/11/10 01:01:20 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2008/11/10 00:16:11 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2008/11/10 00:16:11 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008/11/09 23:38:26 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2008/11/09 23:38:26 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008/11/09 23:14:26 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2008/11/09 23:14:26 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008/11/09 22:54:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2008/11/09 22:54:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008/11/09 22:51:42 | 00,132,597 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Flash_Disinfector.exe
[2008/11/09 09:56:31 | 00,000,345 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2008/11/09 09:55:46 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/09 09:54:39 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008/11/09 09:54:39 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/11/09 09:52:29 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2008/11/09 09:52:29 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/11/09 09:52:29 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/11/09 09:33:29 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\gmer.zip
[2008/11/09 09:32:48 | 00,590,889 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\OTScanIt2.exe
[2008/11/07 08:00:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/11/07 08:00:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/11/06 22:30:01 | 01,090,333 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\JLS_Sysdoc.pdf
[2008/11/06 22:28:56 | 00,113,662 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.odt
[2008/11/06 22:28:26 | 00,237,795 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.pdf
[2008/11/06 07:59:06 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/11/06 07:59:06 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/11/05 08:01:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/11/05 08:01:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/11/05 08:00:41 | 00,000,309 | RHS- | M] () -- C:\autorun.inf
[2008/11/04 08:49:14 | 00,114,047 | RHS- | M] () -- C:\yjkjfuo.cmd
[2008/11/04 07:55:10 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/11/04 07:55:10 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/11/03 07:59:18 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/11/03 07:59:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/10/31 08:06:20 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/10/31 08:06:20 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/10/30 07:58:40 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/10/30 07:58:40 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/10/29 07:56:42 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/10/29 07:56:42 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/10/29 00:19:43 | 01,280,426 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Chan\Desktop\mbam-setup.exe
[2008/10/28 07:53:08 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/10/28 07:53:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008/10/18 18:47:24 | 00,393,728 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Isa Server.....How To Install and Configure ISA Server 2006.doc
[2008/10/17 21:07:08 | 00,004,340 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\kenchan(2).rar
[2008/10/17 00:48:50 | 00,056,523 | ---- | M] () -- C:\Documents and Settings\Chan\My Documents\ss_payment.JPG
[2008/10/17 00:13:19 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Microsoft Isa 2006, Training video.doc
[2008/10/16 00:07:03 | 50,000,000 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Win2008-Training.part01.rar
< End of report >

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 11 November 2008 - 08:30 AM

Hello.

Looks better.

Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    C:\autorun.inf
    yjkjfuo.cmd
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please post back with:
-the OTMoveIt log
-the Kaspersky log
-a new OTViewIt log (just OTViewIt.txt)
-a new HijackThis log

How is your computer running now?

With Regards,
The Panda

#11 madymoon

madymoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 12 November 2008 - 06:28 PM

Hi Panda,

Sorry for the late reply, now i am able to double click on my c: drive and view hidden files thanks for your guidance.


OTMoveIt3 log

========== FILES ==========
C:\autorun.inf moved successfully.
\yjkjfuo.cmd moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11112008_232626


Kaspersky log

Thursday, November 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 12, 2008 11:30:21
Records in database: 1381558
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 92122
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 02:11:55

File name Threat name Threats count
C:\Documents and Settings\Chan\Local Settings\Temporary Internet Files\Content.IE5\UC23MRUV\zz[1].exe Infected: Trojan-GameThief.Win32.Magania.ajma 1
C:\_OTMoveIt\MovedFiles\11112008_200308\WINDOWS\System32\kavo0.dll Infected: Packed.Win32.Krap.b 1
The selected area was scanned.


OTViewIt log

OTViewIt logfile created on: 11/13/2008 7:17:26 AM - Run 2
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Chan\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.42 Mb Total Physical Memory | 608.56 Mb Available Physical Memory | 60.05% Memory free
2.38 Gb Paging File | 1.69 Gb Available in Paging File | 70.94% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 2.92 Gb Free Space | 1.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 433.07 Gb Free Space | 92.98% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-533CC4FE33
Current User Name: Chan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/07/19 22:25:06 | 00,016,056 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2008/07/19 22:38:28 | 00,147,640 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
[2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2003/06/20 21:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[2005/12/15 20:42:10 | 00,217,088 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
[2005/12/15 20:28:52 | 00,245,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
[2005/12/15 20:42:10 | 00,135,168 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
[2005/12/15 20:42:10 | 00,106,496 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
[2008/07/19 22:38:04 | 00,250,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[2008/07/23 22:25:45 | 00,348,344 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[2007/07/19 10:33:44 | 00,141,848 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
[2007/07/19 10:33:32 | 00,166,424 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2007/07/19 10:33:40 | 00,137,752 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
[2007/07/05 16:08:46 | 16,380,416 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
[2007/07/19 10:33:42 | 00,252,440 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
[2004/11/02 20:24:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2008/07/19 22:38:34 | 00,078,008 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2007/09/25 01:11:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[2006/06/15 12:36:18 | 00,229,376 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[2005/03/08 12:42:09 | 00,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[2006/06/27 16:21:14 | 01,449,984 | ---- | M] (Time Information Services Ltd.) -- C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[2007/11/27 18:13:44 | 00,385,024 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
[2006/02/24 17:28:02 | 02,334,720 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
[2006/02/24 17:28:06 | 02,478,080 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
[2006/06/09 10:37:18 | 00,471,552 | ---- | M] (Nokia Corporation) -- C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
[2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
[2008/09/23 22:38:06 | 00,104,696 | ---- | M] () -- C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
[2008/09/23 22:37:22 | 00,541,696 | ---- | M] () -- C:\Program Files\OpenVPN\bin\openvpn.exe
[2004/08/04 07:56:52 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2007/09/20 10:35:36 | 00,118,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
[2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com) -- C:\Program Files\BitComet\BitComet.exe
[2003/06/20 21:00:00 | 00,189,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WISPTIS.EXE
[2008/11/12 21:28:45 | 00,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Documents and Settings\Chan\Local Settings\Temp\jkos-Chan\binaries\ScanningProcess.exe
[2008/11/12 21:28:45 | 00,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Documents and Settings\Chan\Local Settings\Temp\jkos-Chan\binaries\ScanningProcess.exe
[2004/08/04 07:56:52 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2008/11/11 07:29:52 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/19 22:25:06 | 00,016,056 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2008/07/19 22:38:28 | 00,147,640 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2008/07/19 22:38:04 | 00,250,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
[2008/07/23 22:25:45 | 00,348,344 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
[2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2007/12/25 14:47:31 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2003/06/20 21:00:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2007/04/13 21:09:56 | 00,792,112 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
[2007/05/08 19:47:22 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
[2008/09/23 22:37:22 | 00,015,872 | ---- | M] () -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService [On_Demand | Stopped])
[2003/06/20 21:00:00 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/06/29 08:01:48 | 00,092,792 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
[2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- (ServiceLayer [On_Demand | Running])
[2006/11/20 16:51:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2005/12/15 20:42:10 | 00,217,088 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService [Auto | Running])
[2005/12/15 20:42:10 | 00,106,496 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP [Auto | Running])
[2005/12/15 20:28:52 | 00,245,760 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe -- (vmount2 [Auto | Running])
[2005/12/15 20:42:10 | 00,135,168 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service [Auto | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2005/10/06 18:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])

========== Driver Services ==========

[2008/07/19 22:32:15 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2008/07/19 22:37:42 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
[2008/07/19 22:37:21 | 00,094,416 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2008/07/19 22:33:42 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2008/07/19 22:35:18 | 00,078,416 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
[2008/07/19 22:32:36 | 00,042,912 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2007/12/24 15:45:50 | 00,015,600 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys -- (gdrv [On_Demand | Stopped])
[2008/11/09 09:52:29 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [System | Running])
[2005/12/15 20:42:12 | 00,022,016 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon [Auto | Running])
[2006/11/20 16:48:50 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2007/07/17 09:58:00 | 05,741,088 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm [On_Demand | Running])
[2007/07/18 19:26:04 | 04,547,584 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2004/08/03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2004/08/04 05:59:52 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm [On_Demand | Stopped])
[2006/05/29 08:26:36 | 00,008,704 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (Nokia USB Generic [On_Demand | Stopped])
[2006/05/29 08:26:36 | 00,013,312 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (Nokia USB Modem [On_Demand | Stopped])
[2006/05/29 08:26:38 | 00,127,488 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (Nokia USB Phone Parent [On_Demand | Stopped])
[2006/05/29 08:26:36 | 00,013,312 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (Nokia USB Port [On_Demand | Stopped])
[2007/06/29 08:01:48 | 00,042,512 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
[2001/08/23 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/08 07:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2007/08/07 17:40:38 | 00,098,944 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
[2007/11/13 18:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2008/09/23 22:37:40 | 00,025,216 | ---- | M] (The OpenVPN Project) -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901 [On_Demand | Running])
[2005/12/15 20:42:12 | 00,009,600 | R--- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter [On_Demand | Running])
[2005/12/15 20:42:12 | 00,023,424 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge [Auto | Running])
[2005/12/15 20:42:12 | 00,015,616 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif [Auto | Running])
[2005/12/15 20:42:10 | 00,009,216 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport [Auto | Running])
[2005/12/15 20:42:12 | 00,021,888 | R--- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmusb.sys -- (vmusb [On_Demand | Stopped])
[2005/12/15 20:42:10 | 00,094,848 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86 [Auto | Running])
[2005/12/15 20:28:54 | 00,011,520 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys -- (vstor2 [Auto | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"AlwaysUseDefaultPrinter"=yes
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (HKLM) -- C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (BitComet)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=ALCMTR.EXE (Realtek Semiconductor Corp.)
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
"PCSuiteTrayApplication"=C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup (Nokia)
"Persistence"=C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SkyTel"=SkyTel.EXE (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (Time Information Services Ltd.)

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (Time Information Services Ltd.)

========== (O4) Startup Folders ==========

[2006/01/25 18:42:22 | 00,061,440 | ---- | M] () -- C:\Documents and Settings\Chan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
[2007/11/27 18:13:44 | 00,385,024 | ---- | M] (Sony Corporation) -- C:\Documents and Settings\Chan\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\.DEFAULT\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-18\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-19\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-20\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\policies\microsoft\internet explorer]
"Windows Update Menu Text"=Microsoft Update

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FF FF FF FF [binary data]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FF FF FF FF [binary data]

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/08/22 14:07:26 | 02,567,992 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 17:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [2007/09/25 01:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/06/20 21:00:00 | 00,040,512 | ---- | M] (Microsoft Corporation)
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: Button: BitComet -- %ProgramFiles%\BitComet\tools\BitCometBHO_1.1.11.30.dll [2007/12/05 11:40:02 | 00,464,184 | ---- | M] (BitComet)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\Network Diagnostic\xpnetdiag.exe [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 01:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/06/20 21:00:00 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> [2007/09/25 01:11:34 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/06/20 21:00:00 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2006/11/20 16:50:26 | 00,557,568 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2006/11/20 09:51:44 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1409082233-1935655697-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03

========== (O17) DNS Name Servers ==========

{44047D8F-3AE6-43A8-96D9-028F62EBA0BF} (Servers: | Description: )
{A2B008FD-D750-4C77-BFF8-D1CCB5D5A8E3} (Servers: 202.188.1.5,202.188.0.133 | Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC)
{A8452264-BD0D-443E-95BC-C043ECC3321A} (Servers: | Description: )
{F5332F05-9CAA-42AE-B6F1-E6E27267AB6B} (Servers: | Description: )

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 0

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/12/24 14:25:38 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2008/11/13 07:13:41 | 00,003,182 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\kaspersky.html
[2008/11/11 20:03:08 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2008/11/11 07:29:44 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTViewIt.exe
[2008/11/11 07:28:53 | 00,334,848 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTMoveIt3.exe
[2008/11/09 23:02:59 | 00,000,000 | ---D | C] -- C:\_OTScanIt
[2008/11/09 22:51:15 | 00,132,597 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Flash_Disinfector.exe
[2008/11/09 09:52:30 | 00,000,345 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/11/09 09:52:29 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/11/09 09:52:29 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2008/11/09 09:52:29 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/11/09 09:52:29 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/11/09 09:52:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\gmer
[2008/11/09 09:34:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\OTScanIt2
[2008/11/09 09:33:12 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\gmer.zip
[2008/11/09 09:31:40 | 00,590,889 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\OTScanIt2.exe
[2008/11/06 22:29:54 | 01,090,333 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\JLS_Sysdoc.pdf
[2008/11/06 22:28:54 | 00,113,662 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.odt
[2008/11/06 22:28:25 | 00,237,795 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.pdf
[2008/11/04 23:51:36 | 00,000,000 | ---D | C] -- C:\HijackThis
[2008/10/28 23:46:04 | 01,280,426 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Chan\Desktop\mbam-setup.exe
[2008/10/28 00:16:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\Desktop\UAT
[2008/10/27 18:31:43 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2008/10/27 18:31:43 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2008/10/19 22:26:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chan\My Documents\ISA videos
[2008/10/18 18:45:46 | 00,393,728 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Isa Server.....How To Install and Configure ISA Server 2006.doc
[2008/10/17 21:07:07 | 00,004,340 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\kenchan(2).rar
[2008/10/17 00:48:49 | 00,056,523 | ---- | C] () -- C:\Documents and Settings\Chan\My Documents\ss_payment.JPG
[2008/10/17 00:13:18 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Microsoft Isa 2006, Training video.doc
[2008/10/15 23:39:32 | 50,000,000 | ---- | C] () -- C:\Documents and Settings\Chan\Desktop\Win2008-Training.part01.rar

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2008/11/13 07:13:41 | 00,003,182 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\kaspersky.html
[2008/11/12 23:40:49 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/12 21:18:47 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/12 21:18:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/12 21:18:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/12 08:04:13 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/11/12 08:04:13 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008/11/12 00:35:39 | 00,161,280 | ---- | M] () -- C:\Documents and Settings\Chan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/11 20:04:37 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/11/11 20:04:37 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008/11/11 08:00:29 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/11/11 08:00:29 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/11/11 07:29:52 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTViewIt.exe
[2008/11/11 07:28:59 | 00,334,848 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chan\Desktop\OTMoveIt3.exe
[2008/11/10 21:22:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/11/10 21:22:32 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/11/10 07:52:36 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/11/10 07:52:36 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/11/10 01:19:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/11/10 01:19:32 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/11/10 01:01:20 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008/11/10 01:01:20 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2008/11/10 00:16:11 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2008/11/10 00:16:11 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008/11/09 23:38:26 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2008/11/09 23:38:26 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008/11/09 23:14:26 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2008/11/09 23:14:26 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008/11/09 22:54:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2008/11/09 22:54:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008/11/09 22:51:42 | 00,132,597 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Flash_Disinfector.exe
[2008/11/09 09:56:31 | 00,000,345 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2008/11/09 09:54:39 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008/11/09 09:54:39 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/11/09 09:52:29 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2008/11/09 09:52:29 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/11/09 09:52:29 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/11/09 09:33:29 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\gmer.zip
[2008/11/09 09:32:48 | 00,590,889 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\OTScanIt2.exe
[2008/11/07 08:00:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/11/07 08:00:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/11/06 22:30:01 | 01,090,333 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\JLS_Sysdoc.pdf
[2008/11/06 22:28:56 | 00,113,662 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.odt
[2008/11/06 22:28:26 | 00,237,795 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\ilpsdk_server.pdf
[2008/11/06 07:59:06 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/11/06 07:59:06 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/11/05 08:01:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/11/05 08:01:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/11/04 07:55:10 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/11/04 07:55:10 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/11/03 07:59:18 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/11/03 07:59:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/10/31 08:06:20 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/10/31 08:06:20 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/10/30 07:58:40 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/10/30 07:58:40 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/10/29 07:56:42 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/10/29 07:56:42 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/10/29 00:19:43 | 01,280,426 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Chan\Desktop\mbam-setup.exe
[2008/10/18 18:47:24 | 00,393,728 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Isa Server.....How To Install and Configure ISA Server 2006.doc
[2008/10/17 21:07:08 | 00,004,340 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\kenchan(2).rar
[2008/10/17 00:48:50 | 00,056,523 | ---- | M] () -- C:\Documents and Settings\Chan\My Documents\ss_payment.JPG
[2008/10/17 00:13:19 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Microsoft Isa 2006, Training video.doc
[2008/10/16 00:07:03 | 50,000,000 | ---- | M] () -- C:\Documents and Settings\Chan\Desktop\Win2008-Training.part01.rar
< End of report >


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:31 AM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B008FD-D750-4C77-BFF8-D1CCB5D5A8E3}: NameServer = 202.188.1.5,202.188.0.133
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8208 bytes

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 12 November 2008 - 06:49 PM

Hello.

Looks good :thumbsup: .

Let's update your Java, and you are good to go.

Update Java to Version 6 Update 10
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, Java SE Runtime Environment (JRE) 6 Update 10 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" jre-6u10-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restor.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
    cleanmgr
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#13 madymoon

madymoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 November 2008 - 12:30 PM

Hi Panda,

I'm glad to hear that my pc is clean, so far i have no question or concern and thanks for helping me out. :thumbsup:

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 14 November 2008 - 03:12 PM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users