Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[Has adware.Generic] Says AVG


  • This topic is locked This topic is locked
18 replies to this topic

#1 nam_evil

nam_evil

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 01 December 2008 - 04:19 AM

Here's the pic saying that my computer is infected.
I can't delete it.

With HJT log, hope you guys can help.=]

Posted Image

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:31, on 2008-12-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
C:\WINDOWS\system32\QTRAYIME.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Spyware Terminator\SpyWareTerminator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Documents and Settings\Administrator\桌面\HiJackThis.exe

O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - C:\Program Files\881903\IETOOLBAR\hktbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - C:\Program Files\881903\IETOOLBAR\hktbar.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\新資料夾 (18)\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Foxy 下載 - res://D:\新資料夾 (11)\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://D:\新資料夾 (11)\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: 網頁流量防護狀態 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://www.8000tv.com/download/SopCore.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} (PPSBase Control) - http://hot1.vdown.21cn.com/rmdownload/drm/...joy/ppsbase.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 11007 bytes

Edited by nam_evil, 01 December 2008 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 01 December 2008 - 02:37 PM

can anymore help??=[

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:37 PM

Posted 14 December 2008 - 06:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 18 December 2008 - 04:21 AM

thx 4 yr help bro. .

here is the DDS


DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 17:14:20.00 on 2008-12-18
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.495.85 [GMT 8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
C:\WINDOWS\system32\QTRAYIME.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Administrator\桌面\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.0.1/
uLocal Page = about:blank
mLocal Page = about:blank
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {06433BFE-4946-4E89-823D-CD359C81CD06} - c:\program files\881903\ietoolbar\hktbar.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - c:\program files\881903\ietoolbar\hktbar.dll
BHO: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - c:\program files\881903\ietoolbar\hktbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - c:\program files\881903\ietoolbar\hktbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [ClubBox]
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\docume~1\admini~1\「開始~1\程式集\啟動\pps.lnk - c:\program files\ppstream\PPStream.exe
StartupFolder: c:\docume~1\admini~1\「開始~1\程式集\啟動\叉方快~1.lnk - c:\windows\system32\QTRAYIME.exe
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\youtub~1.lnk - c:\program files\casio\youtube uploader for casio\YStart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\lwgac88h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://manu.u-soccer.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: d:\?啗??冗 (10)\netscape6\nppl3260.dll
FF - plugin: d:\?啗??冗 (10)\netscape6\nprjplug.dll
FF - plugin: d:\?啗??冗 (10)\netscape6\nprpjplug.dll
FF - plugin: d:\?啗??冗 (13)\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\?啗??冗 (13)\divx\divx web player\npdivx32.dll
FF - plugin: d:\?啗??冗 (18)\plugins\npqtplugin.dll
FF - plugin: d:\?啗??冗 (18)\plugins\npqtplugin2.dll
FF - plugin: d:\?啗??冗 (18)\plugins\npqtplugin3.dll
FF - plugin: d:\?啗??冗 (18)\plugins\npqtplugin4.dll
FF - plugin: d:\?啗??冗 (18)\plugins\npqtplugin5.dll
FF - plugin: d:\?啗??冗 (18)\plugins\npqtplugin6.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
c:\program files\mozilla firefox\defaults\pref\foxy.js - pref("network.protocol-handler.external.foxy", true);
c:\program files\mozilla firefox\defaults\pref\foxy.js - pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\mozilla firefox\defaults\pref\foxy.js - pref("network.protocol-handler.expose.foxy", true);
c:\program files\mozilla firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\mozilla firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\mozilla firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\mozilla firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-9 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-9 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-9 26824]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-10-16 213008]
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-11-9 141312]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-9 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-11-9 155160]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-9 231704]
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-11-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-11-9 352920]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S0 autolive;autoliv;c:\windows\system32\drivers\autolive.sys []
S0 bbaph;bbap;c:\windows\system32\drivers\bbaph.sys []
S0 bciibcid;bciibcid; []
S0 dblapdrv;dblapdr;c:\windows\system32\drivers\dblapdrv.sys []
S0 dcacaaej;dcacaaej; []
S0 dcghbeci;dcghbeci; []
S0 dgcdfdjg;dgcdfdjg; []
S0 efgccgdi;efgccgdi; []
S0 eiggggcd;eiggggcd; []
S0 faefjfjc;faefjfjc;c:\windows\system32\drivers\faefjfjc.sys []
S0 fdiabdjb;fdiabdjb; []
S0 fgfhgegf;fgfhgegf;c:\windows\system32\drivers\fgfhgegf.sys []
S0 hdfbdhga;hdfbdhga; []
S0 ifghgbid;ifghgbid; []
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys []
S0 ipdbldrv;ipdbldr;c:\windows\system32\drivers\ipdbldrv.sys []
S0 jjhhcchj;jjhhcchj; []
S0 nuhcqz55;nuhcqz5;c:\windows\system32\drivers\nuhcqz55.sys []
S0 rbagqv71;rbagqv7;c:\windows\system32\drivers\rbagqv71.sys []
S0 zvqmvf21;zvqmvf2;c:\windows\system32\drivers\zvqmvf21.sys []
S2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-7-29 206088]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
S3 FileObjInfo;STFileDriver;\??\c:\documents and settings\all users\application data\spyware terminator\FileObjInfo.sys [2008-11-9 5632]

=============== Created Last 30 ================

2008-12-14 16:33 <DIR> --d----- c:\program files\SopCast
2008-12-14 02:20 13 a------- c:\windows\msgtn.ini
2008-12-14 02:17 113 a------- c:\windows\PPSMediaList.ini
2008-12-14 02:17 354 a------- c:\windows\powerplayer.ini
2008-12-14 02:15 780 a------- c:\windows\psnetwork.ini
2008-12-14 02:15 <DIR> --d----- c:\program files\PPStream
2008-12-06 00:51 45,056 a------- c:\windows\system32\wnaspi32.dll
2008-12-06 00:51 25,244 a------- c:\windows\system32\drivers\aspi32.sys
2008-12-06 00:51 5,600 a------- c:\windows\system\winaspi.dll
2008-12-06 00:51 4,672 a------- c:\windows\system\wowpost.exe
2008-12-06 00:48 203,776 a------- c:\windows\system32\clrviddc.dll
2008-12-06 00:39 <DIR> --d----- c:\program files\common files\xing shared
2008-12-03 04:44 <DIR> --d----- c:\windows\system32\NtmsData
2008-12-02 21:55 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2008-12-02 17:12 <DIR> --d----- c:\program files\DNA
2008-12-02 17:12 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2008-12-02 17:12 <DIR> --d----- c:\program files\BitTorrent
2008-12-01 22:49 <DIR> --d----- c:\program files\iPod
2008-12-01 22:49 <DIR> --d----- c:\program files\iTunes
2008-12-01 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 15:09 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-30 15:09 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-30 14:34 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2008-11-30 14:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-30 14:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 14:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-30 13:42 1,755 a------- c:\windows\system32\%LocalXml%
2008-11-30 03:57 <DIR> a-dshr-- C:\cmdcons
2008-11-30 00:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-29 22:23 278,528 a------- c:\windows\system32\WinDll.dll
2008-11-24 01:08 1,700,352 a------- c:\windows\system32\gdiplus.dll
2008-11-24 01:08 278,528 a------- c:\windows\system32\unhtml.dll

==================== Find3M ====================

2008-12-18 04:01 2,379,808 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-18 04:01 516,128 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2008-12-18 04:01 20,720 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-18 04:01 3,892 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2008-11-30 03:55 472,064 a------- c:\windows\system32\CF11529.exe
2008-11-15 01:46 54,920 a---h--- c:\windows\system32\mlfcache.dat
2008-11-09 14:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-09 14:24 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-11-09 13:43 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-02 22:02 7,680 a------- c:\windows\system32\ff_vfw.dll
2008-09-25 23:40 38,608 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:14:46.51 ===============

and for the zipped file
it said i am not permitted to upload this type of file
what should i do??
=[

#5 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 18 December 2008 - 08:08 PM

Hi nam_evil,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.
I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#6 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 19 December 2008 - 01:01 PM

thx Tomk_ =]

here is the ComboFix.txt

ComboFix 08-12-18.03 - Administrator 2008-12-20 1:51:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.495.78 [GMT 8:00]
執行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator\Local Settings\Application Data\baidu
c:\windows\IE4 Error Log.txt
c:\windows\ocinfo.dat
c:\windows\system\dvl
c:\windows\system\lvl
c:\windows\system32\1116
c:\windows\system32\1116\ntjdo\bwb.wye
c:\windows\system32\1116\ntjdo\gjo.wye
c:\windows\system32\1116\ntjdo\ltjuf.dqa
c:\windows\system32\1116\ntjdo\ltjuf.wye
c:\windows\system32\1116\ntjdo\ltjuft.dqa
c:\windows\system32\1116\ntjdo\ltjuft.wye
c:\windows\system32\1116\ntjdo\mvq.dqa
c:\windows\system32\1116\ntjdo\mvq.wye
c:\windows\system32\1116\ntjdo\ne5.dqa
c:\windows\system32\1116\ntjdo\ne5.wye
c:\windows\system32\1116\ntjdo\plugins\qmhtfu.wye
c:\windows\system32\1116\ntjdo\tbgfq.dqa
c:\windows\system32\1116\ntjdo\tbgfq.wye
c:\windows\system32\1116\ntjdo\tdbo.dqa
c:\windows\system32\1116\ntjdo\tdbo.wye
c:\windows\system32\1116\ntjdo\tlfz.dqa
c:\windows\system32\1116\ntjdo\tlfz.wye
c:\windows\system32\1116\ntjdo\ttjuf.dqa
c:\windows\system32\1116\ntjdo\ttjuf.wye
c:\windows\system32\1116\ntjdo\xqbhf.dqa
c:\windows\system32\1116\ntjdo\xqbhf.wye
c:\windows\system32\cnprov.dat
c:\windows\system32\drivers\cnprov.sys
c:\windows\system32\iexp_log.txt
c:\windows\system32\mscache
c:\windows\system32\mscache\1028.cpz
c:\windows\system32\mscache\1031.cpz
c:\windows\system32\mscache\1040.cpz
c:\windows\system32\mscache\1048.cpz
c:\windows\system32\mscache\1049.cpz
c:\windows\system32\mscache\1050.cpz
c:\windows\system32\mscache\1053.cpz
c:\windows\system32\mscache\1062.cpz
c:\windows\system32\mscache\1065.cpz
c:\windows\system32\mscache\1066.cpz
c:\windows\system32\mscache\1081.cpz
c:\windows\system32\mscache\1083.cpz
c:\windows\system32\mscache\1086.cpz
c:\windows\system32\mscache\1105.cpz
c:\windows\system32\mscache\1106.cpz
c:\windows\system32\mscache\1119.cpz
c:\windows\system32\mscache\1125.cpz
c:\windows\system32\mscache\1137.cpz
c:\windows\system32\mscache\1140.cpz
c:\windows\system32\mscache\1148.cpz
c:\windows\system32\mscache\1154.cpz
c:\windows\system32\mscache\1161.cpz
c:\windows\system32\mscache\1165.cpz
c:\windows\system32\mscache\1181.cpz
c:\windows\system32\mscache\1182.cpz
c:\windows\system32\mscache\1185.cpz
c:\windows\system32\mscache\1186.cpz
c:\windows\system32\mscache\1187.cpz
c:\windows\system32\mscache\1195.cpz
c:\windows\system32\mscache\1199.cpz
c:\windows\system32\mscache\1201.cpz
c:\windows\system32\mscache\1203.cpz
c:\windows\system32\mscache\1211.cpz
c:\windows\system32\mscache\1212.cpz
c:\windows\system32\mscache\1213.cpz
c:\windows\system32\mscache\1215.cpz
c:\windows\system32\mscache\1218.cpz
c:\windows\system32\mscache\1219.cpz
c:\windows\system32\mscache\1221.cpz
c:\windows\system32\mscache\1222.cpz
c:\windows\system32\mscache\1223.cpz
c:\windows\system32\mscache\1224.cpz
c:\windows\system32\mscache\1225.cpz
c:\windows\system32\mscache\1226.cpz
c:\windows\system32\mscache\1227.cpz
c:\windows\system32\mscache\1228.cpz
c:\windows\system32\mscache\1229.cpz
c:\windows\system32\mscache\1230.cpz
c:\windows\system32\mscache\1231.cpz
c:\windows\system32\mscache\1232.cpz
c:\windows\system32\mscache\1233.cpz
c:\windows\system32\mscache\1234.cpz
c:\windows\system32\mscache\1235.cpz
c:\windows\system32\mscache\1238.cpz
c:\windows\system32\mscache\1239.cpz
c:\windows\system32\mscache\1240.cpz
c:\windows\system32\mscache\1241.cpz
c:\windows\system32\mscache\1242.cpz
c:\windows\system32\mscache\1243.cpz
c:\windows\system32\mscache\1244.cpz
c:\windows\system32\mscache\1245.cpz
c:\windows\system32\mscache\1246.cpz
c:\windows\system32\mscache\1247.cpz
c:\windows\system32\mscache\1248.cpz
c:\windows\system32\mscache\1249.cpz
c:\windows\system32\mscache\1250.cpz
c:\windows\system32\mscache\1251.cpz
c:\windows\system32\mscache\1252.cpz
c:\windows\system32\mscache\1253.cpz
c:\windows\system32\mscache\1254.cpz
c:\windows\system32\mscache\1255.cpz
c:\windows\system32\mscache\1256.cpz
c:\windows\system32\mscache\1257.cpz
c:\windows\system32\mscache\1258.cpz
c:\windows\system32\mscache\1259.cpz
c:\windows\system32\mscache\1260.cpz
c:\windows\system32\mscache\1261.cpz
c:\windows\system32\mscache\1262.cpz
c:\windows\system32\mscache\1263.cpz
c:\windows\system32\mscache\1264.cpz
c:\windows\system32\mscache\1265.cpz
c:\windows\system32\mscache\1266.cpz
c:\windows\system32\mscache\1267.cpz
c:\windows\system32\mscache\1268.cpz
c:\windows\system32\mscache\1269.cpz
c:\windows\system32\mscache\1270.cpz
c:\windows\system32\mscache\1271.cpz
c:\windows\system32\mscache\1272.cpz
c:\windows\system32\mscache\1273.cpz
c:\windows\system32\mscache\1274.cpz
c:\windows\system32\mscache\1275.cpz
c:\windows\system32\mscache\1276.cpz
c:\windows\system32\mscache\1277.cpz
c:\windows\system32\mscache\1278.cpz
c:\windows\system32\mscache\1279.cpz
c:\windows\system32\mscache\1280.cpz
c:\windows\system32\mscache\1281.cpz
c:\windows\system32\mscache\1282.cpz
c:\windows\system32\mscache\1283.cpz
c:\windows\system32\mscache\1284.cpz
c:\windows\system32\mscache\1285.cpz
c:\windows\system32\mscache\1286.cpz
c:\windows\system32\mscache\1287.cpz
c:\windows\system32\mscache\1288.cpz
c:\windows\system32\mscache\1289.cpz
c:\windows\system32\mscache\1290.cpz
c:\windows\system32\mscache\1291.cpz
c:\windows\system32\mscache\1292.cpz
c:\windows\system32\mscache\1293.cpz
c:\windows\system32\mscache\1294.cpz
c:\windows\system32\mscache\1295.cpz
c:\windows\system32\mscache\1296.cpz
c:\windows\system32\mscache\1297.cpz
c:\windows\system32\mscache\1299.cpz
c:\windows\system32\mscache\1300.cpz
c:\windows\system32\mscache\1301.cpz
c:\windows\system32\mscache\1302.cpz
c:\windows\system32\mscache\1304.cpz
c:\windows\system32\mscache\1305.cpz
c:\windows\system32\mscache\1306.cpz
c:\windows\system32\mscache\1307.cpz
c:\windows\system32\mscache\1308.cpz
c:\windows\system32\mscache\1309.cpz
c:\windows\system32\mscache\1310.cpz
c:\windows\system32\mscache\1311.cpz
c:\windows\system32\mscache\1312.cpz
c:\windows\system32\mscache\1313.cpz
c:\windows\system32\mscache\1314.cpz
c:\windows\system32\mscache\1315.cpz
c:\windows\system32\mscache\1316.cpz
c:\windows\system32\mscache\1317.cpz
c:\windows\system32\mscache\1318.cpz
c:\windows\system32\mscache\1319.cpz
c:\windows\system32\mscache\1320.cpz
c:\windows\system32\mscache\1321.cpz
c:\windows\system32\mscache\1322.cpz
c:\windows\system32\mscache\1323.cpz
c:\windows\system32\mscache\1324.cpz
c:\windows\system32\mscache\1325.cpz
c:\windows\system32\mscache\1326.cpz
c:\windows\system32\mscache\1327.cpz
c:\windows\system32\mscache\1328.cpz
c:\windows\system32\mscache\1329.cpz
c:\windows\system32\mscache\1330.cpz
c:\windows\system32\mscache\1331.cpz
c:\windows\system32\mscache\1332.cpz
c:\windows\system32\mscache\1333.cpz
c:\windows\system32\mscache\1334.cpz
c:\windows\system32\mscache\1335.cpz
c:\windows\system32\mscache\1336.cpz
c:\windows\system32\mscache\1337.cpz
c:\windows\system32\mscache\1338.cpz
c:\windows\system32\mscache\1339.cpz
c:\windows\system32\mscache\1340.cpz
c:\windows\system32\mscache\1341.cpz
c:\windows\system32\mscache\1342.cpz
c:\windows\system32\mscache\1343.cpz
c:\windows\system32\mscache\1344.cpz
c:\windows\system32\mscache\1345.cpz
c:\windows\system32\mscache\1346.cpz
c:\windows\system32\mscache\1347.cpz
c:\windows\system32\mscache\1348.cpz
c:\windows\system32\mscache\1349.cpz
c:\windows\system32\mscache\1350.cpz
c:\windows\system32\mscache\1351.cpz
c:\windows\system32\mscache\1352.cpz
c:\windows\system32\mscache\1353.cpz
c:\windows\system32\mscache\1354.cpz
c:\windows\system32\mscache\1355.cpz
c:\windows\system32\mscache\1356.cpz
c:\windows\system32\mscache\1357.cpz
c:\windows\system32\mscache\1358.cpz
c:\windows\system32\mscache\1359.cpz
c:\windows\system32\mscache\1360.cpz
c:\windows\system32\mscache\1361.cpz
c:\windows\system32\mscache\1362.cpz
c:\windows\system32\mscache\1363.cpz
c:\windows\system32\mscache\1364.cpz
c:\windows\system32\mscache\1365.cpz
c:\windows\system32\mscache\1374.cpz
c:\windows\system32\mscache\1376.cpz
c:\windows\system32\mscache\1377.cpz
c:\windows\system32\mscache\1378.cpz
c:\windows\system32\mscache\1379.cpz
c:\windows\system32\mscache\1380.cpz
c:\windows\system32\mscache\1381.cpz
c:\windows\system32\mscache\1382.cpz
c:\windows\system32\mscache\1383.cpz
c:\windows\system32\mscache\1384.cpz
c:\windows\system32\mscache\1385.cpz
c:\windows\system32\mscache\1386.cpz
c:\windows\system32\mscache\1387.cpz
c:\windows\system32\mscache\1388.cpz
c:\windows\system32\mscache\1389.cpz
c:\windows\system32\mscache\1390.cpz
c:\windows\system32\mscache\1391.cpz
c:\windows\system32\mscache\1392.cpz
c:\windows\system32\mscache\1393.cpz
c:\windows\system32\mscache\1394.cpz
c:\windows\system32\mscache\1395.cpz
c:\windows\system32\mscache\1396.cpz
c:\windows\system32\mscache\1397.cpz
c:\windows\system32\mscache\1398.cpz
c:\windows\system32\mscache\1399.cpz
c:\windows\system32\mscache\1400.cpz
c:\windows\system32\mscache\1401.cpz
c:\windows\system32\mscache\1402.cpz
c:\windows\system32\mscache\1403.cpz
c:\windows\system32\mscache\1404.cpz
c:\windows\system32\mscache\1405.cpz
c:\windows\system32\mscache\1406.cpz
c:\windows\system32\mscache\1407.cpz
c:\windows\system32\mscache\1408.cpz
c:\windows\system32\mscache\1409.cpz
c:\windows\system32\mscache\1410.cpz
c:\windows\system32\mscache\1411.cpz
c:\windows\system32\mscache\1412.cpz
c:\windows\system32\mscache\1413.cpz
c:\windows\system32\mscache\1414.cpz
c:\windows\system32\mscache\1415.cpz
c:\windows\system32\mscache\1416.cpz
c:\windows\system32\mscache\1417.cpz
c:\windows\system32\mscache\1418.cpz
c:\windows\system32\mscache\1419.cpz
c:\windows\system32\mscache\1420.cpz
c:\windows\system32\mscache\1421.cpz
c:\windows\system32\mscache\1422.cpz
c:\windows\system32\mscache\1423.cpz
c:\windows\system32\mscache\1424.cpz
c:\windows\system32\mscache\1425.cpz
c:\windows\system32\mscache\1426.cpz
c:\windows\system32\mscache\1427.cpz
c:\windows\system32\mscache\1428.cpz
c:\windows\system32\mscache\1429.cpz
c:\windows\system32\mscache\1430.cpz
c:\windows\system32\mscache\1431.cpz
c:\windows\system32\mscache\1432.cpz
c:\windows\system32\mscache\1433.cpz
c:\windows\system32\mscache\1434.cpz
c:\windows\system32\mscache\1435.cpz
c:\windows\system32\mscache\1436.cpz
c:\windows\system32\mscache\1437.cpz
c:\windows\system32\mscache\1438.cpz
c:\windows\system32\mscache\1439.cpz
c:\windows\system32\mscache\1440.cpz
c:\windows\system32\mscache\1441.cpz
c:\windows\system32\mscache\1442.cpz
c:\windows\system32\mscache\1443.cpz
c:\windows\system32\mscache\1444.cpz
c:\windows\system32\mscache\1445.cpz
c:\windows\system32\mscache\1446.cpz
c:\windows\system32\mscache\1447.cpz
c:\windows\system32\mscache\1448.cpz
c:\windows\system32\mscache\1449.cpz
c:\windows\system32\mscache\1450.cpz
c:\windows\system32\mscache\1451.cpz
c:\windows\system32\mscache\1452.cpz
c:\windows\system32\mscache\1453.cpz
c:\windows\system32\mscache\1454.cpz
c:\windows\system32\mscache\1455.cpz
c:\windows\system32\mscache\1456.cpz
c:\windows\system32\mscache\1457.cpz
c:\windows\system32\mscache\1458.cpz
c:\windows\system32\mscache\1459.cpz
c:\windows\system32\mscache\1460.cpz
c:\windows\system32\mscache\1461.cpz
c:\windows\system32\mscache\1462.cpz
c:\windows\system32\mscache\1463.cpz
c:\windows\system32\mscache\1464.cpz
c:\windows\system32\mscache\1465.cpz
c:\windows\system32\mscache\1466.cpz
c:\windows\system32\mscache\1467.cpz
c:\windows\system32\mscache\1468.cpz
c:\windows\system32\mscache\1469.cpz
c:\windows\system32\mscache\1470.cpz
c:\windows\system32\mscache\1471.cpz
c:\windows\system32\mscache\1472.cpz
c:\windows\system32\mscache\1473.cpz
c:\windows\system32\mscache\1474.cpz
c:\windows\system32\mscache\1475.cpz
c:\windows\system32\mscache\1476.cpz
c:\windows\system32\mscache\1477.cpz
c:\windows\system32\mscache\1478.cpz
c:\windows\system32\mscache\1479.cpz
c:\windows\system32\mscache\1480.cpz
c:\windows\system32\mscache\1481.cpz
c:\windows\system32\mscache\1482.cpz
c:\windows\system32\mscache\1483.cpz
c:\windows\system32\mscache\1484.cpz
c:\windows\system32\mscache\1485.cpz
c:\windows\system32\mscache\1486.cpz
c:\windows\system32\mscache\1487.cpz
c:\windows\system32\mscache\1488.cpz
c:\windows\system32\mscache\1489.cpz
c:\windows\system32\mscache\1490.cpz
c:\windows\system32\mscache\1491.cpz
c:\windows\system32\mscache\1492.cpz
c:\windows\system32\mscache\1493.cpz
c:\windows\system32\mscache\1494.cpz
c:\windows\system32\mscache\1495.cpz
c:\windows\system32\mscache\1496.cpz
c:\windows\system32\mscache\1497.cpz
c:\windows\system32\mscache\1498.cpz
c:\windows\system32\mscache\1499.cpz
c:\windows\system32\mscache\1500.cpz
c:\windows\system32\mscache\1501.cpz
c:\windows\system32\mscache\1502.cpz
c:\windows\system32\mscache\1503.cpz
c:\windows\system32\mscache\1504.cpz
c:\windows\system32\mscache\1505.cpz
c:\windows\system32\mscache\1506.cpz
c:\windows\system32\mscache\1507.cpz
c:\windows\system32\mscache\1508.cpz
c:\windows\system32\mscache\1509.cpz
c:\windows\system32\mscache\1510.cpz
c:\windows\system32\mscache\1511.cpz
c:\windows\system32\mscache\1512.cpz
c:\windows\system32\mscache\1513.cpz
c:\windows\system32\mscache\1514.cpz
c:\windows\system32\mscache\1515.cpz
c:\windows\system32\mscache\1516.cpz
c:\windows\system32\mscache\1517.cpz
c:\windows\system32\mscache\1518.cpz
c:\windows\system32\mscache\1519.cpz
c:\windows\system32\mscache\1520.cpz
c:\windows\system32\mscache\1521.cpz
c:\windows\system32\mscache\1522.cpz
c:\windows\system32\mscache\1523.cpz
c:\windows\system32\mscache\1524.cpz
c:\windows\system32\mscache\1525.cpz
c:\windows\system32\mscache\1526.cpz
c:\windows\system32\mscache\1527.cpz
c:\windows\system32\mscache\1528.cpz
c:\windows\system32\mscache\1529.cpz
c:\windows\system32\mscache\1530.cpz
c:\windows\system32\mscache\1531.cpz
c:\windows\system32\mscache\1532.cpz
c:\windows\system32\mscache\1533.cpz
c:\windows\system32\mscache\1534.cpz
c:\windows\system32\mscache\1535.cpz
c:\windows\system32\mscache\1536.cpz
c:\windows\system32\mscache\1537.cpz
c:\windows\system32\mscache\1538.cpz
c:\windows\system32\mscache\1539.cpz
c:\windows\system32\mscache\1540.cpz
c:\windows\system32\mscache\1541.cpz
c:\windows\system32\mscache\1542.cpz
c:\windows\system32\mscache\1543.cpz
c:\windows\system32\mscache\1544.cpz
c:\windows\system32\mscache\1545.cpz
c:\windows\system32\mscache\1546.cpz
c:\windows\system32\mscache\1547.cpz
c:\windows\system32\mscache\1548.cpz
c:\windows\system32\mscache\1549.cpz
c:\windows\system32\mscache\1550.cpz
c:\windows\system32\mscache\1551.cpz
c:\windows\system32\mscache\1552.cpz
c:\windows\system32\mscache\1553.cpz
c:\windows\system32\mscache\1554.cpz
c:\windows\system32\mscache\574.cpz
c:\windows\system32\mscache\711.cpz
c:\windows\system32\mscache\743.cpz
c:\windows\system32\mscache\744.cpz
c:\windows\system32\mscache\810.cpz
c:\windows\system32\mscache\835.cpz
c:\windows\system32\mscache\876.cpz
c:\windows\system32\mscache\930.cpz
c:\windows\system32\mscache\931.cpz
c:\windows\system32\mscache\972.cpz
c:\windows\system32\mscache\973.cpz
c:\windows\system32\mscache\996.cpz
c:\windows\system32\mscache\navang.cpz
c:\windows\system32\rbagqv71.dllkssm.pmc

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNESS
-------\Legacy_CNPROV
-------\Legacy_SCRIPTS
-------\Service_BNESS
-------\Service_cnprov
-------\Service_Scripts


((((((((((((((((((((((((( 2008-11-19 至 2008-12-19 的新的檔案 )))))))))))))))))))))))))))))))
.

2008-12-14 16:33 . 2008-12-14 16:41 <DIR> d-------- c:\program files\SopCast
2008-12-14 02:20 . 2008-12-14 02:28 13 --a------ c:\windows\msgtn.ini
2008-12-14 02:17 . 2008-12-20 01:36 354 --a------ c:\windows\powerplayer.ini
2008-12-14 02:17 . 2008-12-20 01:36 113 --a------ c:\windows\PPSMediaList.ini
2008-12-14 02:15 . 2008-12-15 15:43 <DIR> d-------- c:\program files\PPStream
2008-12-14 02:15 . 2008-12-20 01:35 780 --a------ c:\windows\psnetwork.ini
2008-12-06 00:51 . 1999-09-10 19:06 45,056 --a------ c:\windows\system32\wnaspi32.dll
2008-12-06 00:51 . 1999-09-10 19:06 25,244 --a------ c:\windows\system32\drivers\aspi32.sys
2008-12-06 00:51 . 1999-09-10 19:06 5,600 --a------ c:\windows\system\winaspi.dll
2008-12-06 00:51 . 1999-09-10 19:06 4,672 --a------ c:\windows\system\wowpost.exe
2008-12-06 00:48 . 2008-12-06 00:48 203,776 --a------ c:\windows\system32\clrviddc.dll
2008-12-06 00:39 . 2008-12-06 00:39 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-06 00:37 . 2008-12-06 00:37 <DIR> d-------- c:\program files\Real
2008-12-03 04:44 . 2008-12-03 04:48 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-02 21:55 . 2008-12-17 01:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\BitTorrent
2008-12-02 17:12 . 2008-12-20 01:34 <DIR> d-------- c:\program files\DNA
2008-12-02 17:12 . 2008-12-02 17:12 <DIR> d-------- c:\program files\BitTorrent
2008-12-02 17:12 . 2008-12-20 01:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DNA
2008-12-01 22:49 . 2008-12-01 22:50 <DIR> d-------- c:\program files\iTunes
2008-12-01 22:49 . 2008-12-01 22:49 <DIR> d-------- c:\program files\iPod
2008-12-01 22:49 . 2008-12-01 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 15:09 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-30 15:09 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-30 14:34 . 2008-11-30 14:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 14:33 . 2008-11-30 14:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 14:33 . 2008-11-30 14:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 14:33 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 14:33 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 13:42 . 2008-12-02 18:44 1,755 --a------ c:\windows\system32\%LocalXml%
2008-11-30 00:15 . 2008-11-30 00:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 22:23 . 2008-11-26 14:52 278,528 --a------ c:\windows\system32\WinDll.dll
2008-11-24 01:08 . 2001-09-06 10:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-11-24 01:08 . 2008-10-31 18:56 278,528 --a------ c:\windows\system32\unhtml.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 17:41 524,320 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-19 17:41 3,920 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-19 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-19 17:35 --------- d-----w c:\program files\MSN Messenger
2008-12-19 10:43 20,720 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-19 10:43 2,379,808 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-18 08:22 --------- d-----w c:\documents and settings\Administrator\Application Data\ppStream
2008-12-10 11:17 --------- d-----w c:\program files\WinClamAVShield
2008-12-10 11:16 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-12-10 11:15 --------- d-----w c:\program files\Spyware Terminator
2008-12-10 11:15 --------- d-----w c:\documents and settings\Administrator\Application Data\Spyware Terminator
2008-12-07 16:07 --------- d-----w c:\documents and settings\Administrator\Application Data\881903
2008-12-05 16:38 --------- d-----w c:\program files\Common Files\Real
2008-12-04 14:00 --------- d-----w c:\program files\Java
2008-12-02 20:35 --------- d-----w c:\program files\ICQ6
2008-12-02 19:32 --------- d-----w c:\documents and settings\Administrator\Application Data\Foxy
2008-12-01 19:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 19:46 --------- d-----w c:\program files\CASIO
2008-12-01 14:49 --------- d-----w c:\program files\Common Files\Apple
2008-12-01 14:04 --------- d-----w c:\program files\Safari
2008-11-29 19:26 --------- d-----w c:\program files\OCINSabc
2008-11-29 16:16 --------- d-----w c:\program files\Lavasoft
2008-11-29 14:54 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 14:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-17 14:18 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-12 17:06 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-12 17:05 --------- d-----w c:\program files\Microsoft.NET
2008-11-09 20:01 --------- d-----w c:\program files\FormatFactory
2008-11-09 19:45 --------- d-----w c:\program files\WinAVI Video Capture
2008-11-09 16:48 --------- d-----w c:\documents and settings\Administrator\Application Data\iPhoneRingToneMaker
2008-11-09 08:48 --------- d-----w c:\program files\Alwil Software
2008-11-09 06:24 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-09 06:24 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-09 06:24 --------- d-----w c:\program files\AVG
2008-11-09 05:43 141,312 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-02 14:02 7,680 ----a-w c:\windows\system32\ff_vfw.dll
2008-10-28 17:07 --------- d-----w c:\documents and settings\Administrator\Application Data\Red Kawa
2008-10-28 17:06 --------- d-----w c:\program files\Red Kawa
2008-10-23 16:53 --------- d-----w c:\program files\iPhoneRingToneMaker
2008-09-25 15:40 38,608 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06433BFE-4946-4E89-823D-CD359C81CD06}]
2008-11-27 16:54 385024 --a------ c:\program files\881903\IETOOLBAR\hktbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}]
2008-11-27 16:54 385024 --a------ c:\program files\881903\IETOOLBAR\hktbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}"= "c:\program files\881903\IETOOLBAR\hktbar.dll" [2008-11-27 385024]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}"= "c:\program files\881903\IETOOLBAR\hktbar.dll" [2008-11-27 385024]

[HKEY_CLASSES_ROOT\clsid\{481ee3ec-c026-4f9a-ba22-fd07654adfc0}]
[HKEY_CLASSES_ROOT\IEToolBar.ToolBarObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{2C490CC6-2056-40D3-A6CF-466AE0DC0826}]
[HKEY_CLASSES_ROOT\IEToolBar.ToolBarObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-07-12 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-07-12 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-07-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-07-12 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-29 7626752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-29 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-30 286720]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-08 15872]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-06 185872]
"nwiz"="nwiz.exe" [2006-06-29 c:\windows\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-07-12 c:\windows\system32\ctfmon.exe]

c:\windows\system32\config\systemprofile\「開始」功能表\程式集\啟動\
cmd.cmd [2004-07-12 576]

c:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
PPS.lnk - c:\program files\PPStream\PPStream.exe [2008-12-10 2485760]
九方快速啟動.lnk - c:\windows\system32\QTRAYIME.exe [2006-11-20 26112]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
YouTube Uploader for CASIO.lnk - c:\program files\CASIO\YouTube Uploader for CASIO\YStart.exe [2007-06-11 79488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gfscagent.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\881903\\IETOOLBAR\\AudioUpdMgr.exe"=
"c:\\Documents and Settings\\Administrator\\桌面\\Itunnel\\iphone_tunnel.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11457:TCP"= 11457:TCP:BitComet 11457 TCP
"11457:UDP"= 11457:UDP:BitComet 11457 UDP
"22280:TCP"= 22280:TCP:Foxy (10.127.29.158:22280) 22280 TCP
"22280:UDP"= 22280:UDP:Foxy (10.127.29.158:22280) 22280 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-09 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-09 97928]
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-11-09 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-09 20560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-09 231704]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S0 autolive;autoliv;c:\windows\system32\DRIVERS\autolive.sys []
S0 bbaph;bbap;c:\windows\system32\DRIVERS\bbaph.sys []
S0 bciibcid;bciibcid; []
S0 dblapdrv;dblapdr;c:\windows\system32\DRIVERS\dblapdrv.sys []
S0 dcacaaej;dcacaaej; []
S0 dcghbeci;dcghbeci; []
S0 dgcdfdjg;dgcdfdjg; []
S0 efgccgdi;efgccgdi; []
S0 eiggggcd;eiggggcd; []
S0 faefjfjc;faefjfjc;c:\windows\system32\drivers\faefjfjc.sys []
S0 fdiabdjb;fdiabdjb; []
S0 fgfhgegf;fgfhgegf;c:\windows\system32\drivers\fgfhgegf.sys []
S0 hdfbdhga;hdfbdhga; []
S0 ifghgbid;ifghgbid; []
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\DRIVERS\ifp300.sys []
S0 ipdbldrv;ipdbldr;c:\windows\system32\DRIVERS\ipdbldrv.sys []
S0 jjhhcchj;jjhhcchj; []
S0 nuhcqz55;nuhcqz5;c:\windows\system32\DRIVERS\nuhcqz55.sys []
S0 rbagqv71;rbagqv7;c:\windows\system32\DRIVERS\rbagqv71.sys []
S0 zvqmvf21;zvqmvf2;c:\windows\system32\DRIVERS\zvqmvf21.sys []
S3 FileObjInfo;STFileDriver;\??\c:\documents and settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-11-09 5632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1859da26-34b4-11dd-8619-0017318bcf55}]
\Shell\Auto\command -
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{405271f5-e7a9-11dc-850e-0017318bcf55}]
\Shell\Auto\command -
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d90e5b88-a4c4-11dd-8730-0017318bcf55}]
\Shell\AutoRun\command -
\Shell\explore\Command -
\Shell\open\Command -

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ed6e60-f188-11db-822b-0017318bcf55}]
\Shell\Auto\command -
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe
.
計劃任務 文件夾 裡的內容

2008-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ClubBox - (no file)


.
------- 而外的掃描 -------
.
uStart Page = hxxp://192.168.0.1/
uLocal Page = about:blank
mLocal Page = about:blank
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\PSNetwork.dll - c:\windows\Downloaded Program Files\PowerList.ocx
c:\windows\Downloaded Program Files\PowerPlayer.dll
O16 -: {5EC7C511-CD0F-42E6-830C-1BD9882F3458}
hxxp://download.ppstream.com/bin/powerplayer.cab
c:\windows\Downloaded Program Files\powerplayer.inf
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lwgac88h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://manu.u-soccer.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: d:\?啗??冗 (10)\Netscape6\nppl3260.dll
FF - plugin: d:\?啗??冗 (10)\Netscape6\nprjplug.dll
FF - plugin: d:\?啗??冗 (10)\Netscape6\nprpjplug.dll
FF - plugin: d:\?啗??冗 (13)\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\?啗??冗 (13)\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin2.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin3.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin4.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin5.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin6.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 01:55:21
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
完成時間: 2008-12-20 1:56:52
ComboFix-quarantined-files.txt 2008-12-19 17:56:15

Pre-Run: 5,425,483,776 位元組可用
Post-Run: 5,550,604,288 位元組可用

694

#7 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 December 2008 - 01:50 PM

nam_evil,

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    
    Folder::
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1859da26-34b4-11dd-8619-0017318bcf55}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{405271f5-e7a9-11dc-850e-0017318bcf55}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d90e5b88-a4c4-11dd-8730-0017318bcf55}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0ed6e60-f188-11db-822b-0017318bcf55}]
    
    Driver::
    autolive
    bbaph
    bciibcid
    dblapdrv
    dcacaaej
    dcghbeci
    dgcdfdjg
    efgccgdi
    eiggggcd
    faefjfjc
    fdiabdjb
    fgfhgegf
    hdfbdhga
    ifghgbid
    IFP300
    ipdbldrv
    jjhhcchj
    nuhcqz55
    rbagqv71
    zvqmvf21
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply please provide:
  • ComboFix.txt
  • Kaspersky report
  • New HijackThis log taken after everything else completed

Posted Image

#8 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 21 December 2008 - 07:37 AM

Thx Tomk_ . .

i tried to run the Kaspersky online antivirus scan after the combofix scan.

but my computer was shut down every time i started downloading and installing the scanner and virus definitions from Kaspersky.

There was a blue screen saying the following words:

'' A problem has been detected and windows has need shut down to prevent damage to your computer. The problem seems to be caused by the following file: kkf.sys
The driver unloaded without canceling pending operations. ''


I don't know what the problems are, but anyway, here is the combofix log and i attached the HijackThis log file for your reference=]

ComboFix 08-12-18.03 - Administrator 2008-12-21 18:40:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.495.90 [GMT 8:00]
執行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\桌面\CFScript.txt
* 成功創造新還原點
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AUTOLIVE
-------\Legacy_BBAPH
-------\Legacy_DBLAPDRV
-------\Legacy_IPDBLDRV
-------\Legacy_NUHCQZ55
-------\Legacy_RBAGQV71
-------\Legacy_ZVQMVF21
-------\Service_autolive
-------\Service_bbaph
-------\Service_bciibcid
-------\Service_dblapdrv
-------\Service_dcacaaej
-------\Service_dcghbeci
-------\Service_dgcdfdjg
-------\Service_efgccgdi
-------\Service_eiggggcd
-------\Service_faefjfjc
-------\Service_fdiabdjb
-------\Service_fgfhgegf
-------\Service_hdfbdhga
-------\Service_ifghgbid
-------\Service_IFP300
-------\Service_ipdbldrv
-------\Service_jjhhcchj
-------\Service_nuhcqz55
-------\Service_rbagqv71
-------\Service_zvqmvf21


((((((((((((((((((((((((( 2008-11-21 至 2008-12-21 的新的檔案 )))))))))))))))))))))))))))))))
.

2008-12-14 16:33 . 2008-12-14 16:41 <DIR> d-------- c:\program files\SopCast
2008-12-14 02:20 . 2008-12-14 02:28 13 --a------ c:\windows\msgtn.ini
2008-12-14 02:17 . 2008-12-21 18:49 354 --a------ c:\windows\powerplayer.ini
2008-12-14 02:17 . 2008-12-21 18:49 113 --a------ c:\windows\PPSMediaList.ini
2008-12-14 02:15 . 2008-12-15 15:43 <DIR> d-------- c:\program files\PPStream
2008-12-14 02:15 . 2008-12-21 18:49 786 --a------ c:\windows\psnetwork.ini
2008-12-06 00:51 . 1999-09-10 19:06 45,056 --a------ c:\windows\system32\wnaspi32.dll
2008-12-06 00:51 . 1999-09-10 19:06 25,244 --a------ c:\windows\system32\drivers\aspi32.sys
2008-12-06 00:51 . 1999-09-10 19:06 5,600 --a------ c:\windows\system\winaspi.dll
2008-12-06 00:51 . 1999-09-10 19:06 4,672 --a------ c:\windows\system\wowpost.exe
2008-12-06 00:48 . 2008-12-06 00:48 203,776 --a------ c:\windows\system32\clrviddc.dll
2008-12-06 00:39 . 2008-12-06 00:39 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-06 00:37 . 2008-12-06 00:37 <DIR> d-------- c:\program files\Real
2008-12-03 04:44 . 2008-12-03 04:48 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-02 21:55 . 2008-12-17 01:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\BitTorrent
2008-12-02 17:12 . 2008-12-21 18:47 <DIR> d-------- c:\program files\DNA
2008-12-02 17:12 . 2008-12-02 17:12 <DIR> d-------- c:\program files\BitTorrent
2008-12-02 17:12 . 2008-12-21 18:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DNA
2008-12-01 22:49 . 2008-12-01 22:50 <DIR> d-------- c:\program files\iTunes
2008-12-01 22:49 . 2008-12-01 22:49 <DIR> d-------- c:\program files\iPod
2008-12-01 22:49 . 2008-12-01 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 15:09 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-30 15:09 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-30 14:34 . 2008-11-30 14:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 14:33 . 2008-11-30 14:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 14:33 . 2008-11-30 14:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 14:33 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 14:33 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 13:42 . 2008-12-02 18:44 1,755 --a------ c:\windows\system32\%LocalXml%
2008-11-30 00:15 . 2008-11-30 00:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 22:23 . 2008-11-26 14:52 278,528 --a------ c:\windows\system32\WinDll.dll
2008-11-24 01:08 . 2001-09-06 10:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-11-24 01:08 . 2008-10-31 18:56 278,528 --a------ c:\windows\system32\unhtml.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 10:49 --------- d-----w c:\program files\MSN Messenger
2008-12-21 10:45 524,320 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-21 10:45 3,920 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-21 10:45 20,720 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-21 10:45 2,379,808 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-21 08:57 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-20 13:23 --------- d-----w c:\program files\WinClamAVShield
2008-12-20 13:23 --------- d-----w c:\program files\Spyware Terminator
2008-12-20 13:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Spyware Terminator
2008-12-18 08:22 --------- d-----w c:\documents and settings\Administrator\Application Data\ppStream
2008-12-10 11:16 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-12-07 16:07 --------- d-----w c:\documents and settings\Administrator\Application Data\881903
2008-12-05 16:38 --------- d-----w c:\program files\Common Files\Real
2008-12-04 14:00 --------- d-----w c:\program files\Java
2008-12-02 20:35 --------- d-----w c:\program files\ICQ6
2008-12-02 19:32 --------- d-----w c:\documents and settings\Administrator\Application Data\Foxy
2008-12-01 19:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 19:46 --------- d-----w c:\program files\CASIO
2008-12-01 14:49 --------- d-----w c:\program files\Common Files\Apple
2008-12-01 14:04 --------- d-----w c:\program files\Safari
2008-11-29 19:26 --------- d-----w c:\program files\OCINSabc
2008-11-29 16:16 --------- d-----w c:\program files\Lavasoft
2008-11-29 14:54 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 14:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-17 14:18 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-12 17:06 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-12 17:05 --------- d-----w c:\program files\Microsoft.NET
2008-11-09 20:01 --------- d-----w c:\program files\FormatFactory
2008-11-09 19:45 --------- d-----w c:\program files\WinAVI Video Capture
2008-11-09 16:48 --------- d-----w c:\documents and settings\Administrator\Application Data\iPhoneRingToneMaker
2008-11-09 08:48 --------- d-----w c:\program files\Alwil Software
2008-11-09 06:24 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-09 06:24 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-09 06:24 --------- d-----w c:\program files\AVG
2008-11-09 05:43 141,312 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-02 14:02 7,680 ----a-w c:\windows\system32\ff_vfw.dll
2008-10-28 17:07 --------- d-----w c:\documents and settings\Administrator\Application Data\Red Kawa
2008-10-28 17:06 --------- d-----w c:\program files\Red Kawa
2008-10-23 16:53 --------- d-----w c:\program files\iPhoneRingToneMaker
2008-09-25 15:40 38,608 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_ 1.55.38.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-21 10:46:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06433BFE-4946-4E89-823D-CD359C81CD06}]
2008-11-27 16:54 385024 --a------ c:\program files\881903\IETOOLBAR\hktbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}]
2008-11-27 16:54 385024 --a------ c:\program files\881903\IETOOLBAR\hktbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}"= "c:\program files\881903\IETOOLBAR\hktbar.dll" [2008-11-27 385024]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}"= "c:\program files\881903\IETOOLBAR\hktbar.dll" [2008-11-27 385024]

[HKEY_CLASSES_ROOT\clsid\{481ee3ec-c026-4f9a-ba22-fd07654adfc0}]
[HKEY_CLASSES_ROOT\IEToolBar.ToolBarObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{2C490CC6-2056-40D3-A6CF-466AE0DC0826}]
[HKEY_CLASSES_ROOT\IEToolBar.ToolBarObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-07-12 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-07-12 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-07-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-07-12 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-29 7626752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-29 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-30 286720]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-08 15872]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-06 185872]
"nwiz"="nwiz.exe" [2006-06-29 c:\windows\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-07-12 c:\windows\system32\ctfmon.exe]

c:\windows\system32\config\systemprofile\「開始」功能表\程式集\啟動\
cmd.cmd [2004-07-12 576]

c:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
PPS.lnk - c:\program files\PPStream\PPStream.exe [2008-12-10 2485760]
九方快速啟動.lnk - c:\windows\system32\QTRAYIME.exe [2006-11-20 26112]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
YouTube Uploader for CASIO.lnk - c:\program files\CASIO\YouTube Uploader for CASIO\YStart.exe [2007-06-11 79488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gfscagent.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\881903\\IETOOLBAR\\AudioUpdMgr.exe"=
"c:\\Documents and Settings\\Administrator\\桌面\\Itunnel\\iphone_tunnel.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11457:TCP"= 11457:TCP:BitComet 11457 TCP
"11457:UDP"= 11457:UDP:BitComet 11457 UDP
"22280:TCP"= 22280:TCP:Foxy (10.127.29.158:22280) 22280 TCP
"22280:UDP"= 22280:UDP:Foxy (10.127.29.158:22280) 22280 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-09 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-09 97928]
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-11-09 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-09 20560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-09 231704]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 FileObjInfo;STFileDriver;\??\c:\documents and settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-11-09 5632]
.
‘計劃任務’ 文件夾 裡的內容

2008-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://192.168.0.1/
uLocal Page = about:blank
mLocal Page = about:blank
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\PSNetwork.dll - c:\windows\Downloaded Program Files\PowerList.ocx
c:\windows\Downloaded Program Files\PowerPlayer.dll
O16 -: {5EC7C511-CD0F-42E6-830C-1BD9882F3458}
hxxp://download.ppstream.com/bin/powerplayer.cab
c:\windows\Downloaded Program Files\powerplayer.inf
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lwgac88h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://manu.u-soccer.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: d:\?啗??冗 (10)\Netscape6\nppl3260.dll
FF - plugin: d:\?啗??冗 (10)\Netscape6\nprjplug.dll
FF - plugin: d:\?啗??冗 (10)\Netscape6\nprpjplug.dll
FF - plugin: d:\?啗??冗 (13)\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\?啗??冗 (13)\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin2.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin3.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin4.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin5.dll
FF - plugin: d:\?啗??冗 (18)\Plugins\npqtplugin6.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\pref\foxy.js - pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 18:46:27
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
完成時間: 2008-12-21 18:57:26 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2008-12-21 10:57:20
ComboFix2.txt 2008-12-19 17:56:54

Pre-Run: 5,519,618,048 位元組可用
Post-Run: 5,513,375,744 位元組可用

297

Attached Files


Edited by nam_evil, 21 December 2008 - 07:38 AM.


#9 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 21 December 2008 - 09:54 AM

nam_evil,

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)
Posted Image

#10 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 23 December 2008 - 02:08 PM

Tomk_

When i was running the Lop S&D.exe without any Antivirus programs opening, it showed the screen below.

There were some Chinese showing, and no language option was found.

What should i do about it?

Posted Image

#11 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 23 December 2008 - 07:08 PM

nam_evil,

Does this happen to be a chinese version of windows?

This is newer, similiar tool that may work better:

Download Rooter.exe to your desktop
  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Posted Image

#12 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 28 December 2008 - 11:49 AM

Tomk_

It is possible because of my chinese version windows, I don'y know anyway.

Here is the Rooter log

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : AMD Athlon™ 64 Processor 3000+ )
BIOS : BIOS Date: 07/21/06 17:29:43 Ver: 08.00.12
USER : Administrator ( Administrator )
BOOT : Normal boot

Antivirus : avast! antivirus 4.8.1296 [VPS 081228-0] 4.8.1296 (Not Activated)
Firewall : ActiveArmor Firewall 1.0 (Not Activated)

A:\ (USB)
C:\ (Local Disk) - NTFS - Total:51 Go (Free:3 Go)
D:\ (Local Disk) - NTFS - Total:97 Go (Free:4 Go)
E:\ (CD or DVD)

29/12/2008 Mon| 0:40

----------------------\\ Search..

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\ADMINI~1\桌面\iphone\games & applications\Monkey Ball\Monkey Ball.app\SFX\balloon_crack.wav
C:\DOCUME~1\ADMINI~1\桌面\iphone\iPhoneRingToneMaker 1.19\crack.txt


1 - "C:\Rooter$\Rooter_1.txt" - 29/12/2008 Mon| 0:39
2 - "C:\Rooter$\Rooter_2.txt" - 29/12/2008 Mon| 0:41

----------------------\\ Scan completed at 0:41


thxx
merry x'mas & hapi new year=]

#13 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 28 December 2008 - 01:32 PM

nam_evil,

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\documents and settings\Administrator\Application Data\BitTorrent
    c:\program files\DNA
    c:\program files\BitTorrent
    c:\documents and settings\Administrator\Application Data\DNA
    C:\DOCUME~1\ADMINI~1\桌面\iphone\games & applications\Monkey Ball\Monkey Ball.app\SFX\balloon_crack.wav
    C:\DOCUME~1\ADMINI~1\桌面\iphone\iPhoneRingToneMaker 1.19\crack.txt
    
    Folder::
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\DNA\\btdna.exe"=-
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    
    Driver::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then

Please try to run Kaspersky online again. If it still will not run, then:

I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Also please give me a new HijackThis log.
Posted Image

#14 nam_evil

nam_evil
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 01 January 2009 - 05:39 AM

Tomk_

Here are the ComboFix log, kaspersky log, and the hijackthis log i attached.

Surprisingly, the kaspersky online scan says no malware has been detected.

But my other anti-virus programs say there is a problem in my computer.

Anyway, u may want to see the logs first=]

Attached Files



#15 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 01 January 2009 - 09:43 AM

nam_evil,

You appear to be running two Anti-Virus programs. Avast and AVG. It is important that you only run one because they will conflict with each other. Please remove one of them. It's your choice but I would remove AVG.

After removal, please post me another HijackThis log and also tell me what makes you "surprised" that Kaspersky found you clean.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users