Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Running processes unusually larger consumption of memory


  • This topic is locked This topic is locked
6 replies to this topic

#1 im_chc

im_chc

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 January 2009 - 04:07 AM

Hi,

Hello everyone, I'm new here and my first post is already a malware removal request, I'm not sure if it is against appropriate netiquitte, but pardon me if it seems to be impolite.

I have been suspecting my computer is infected (virus or trojan horse etc), the most obvious symptom is the one in this topic title:

More than 40 of all the running process are consuming 10MB+ of memory, in fact there are 20+ of them which has 20MB+.

To rule out the possibility that all these processes really do need that much memory, I use Skype on two computers and see if there are any differences on the memory use.

Result is:
"Control" computer for comparison: skype uses 14mb
Subject computer under suspicion: skype uses 40mb

So I have reasons to believe that something's wrong.

Another symptom is that Firefox(IE7 also, and, even worse, it frequently freezes) easily climbs up to 140mb+ even if only one tab of page is used. However this might not be a good evidence because several add-ons are installed in FF.

Since the prep guide doesn't suggest to immediately post HJT log, I will have the DDS logs here first.

Would greatly appreciate if help is available on isolating the problem. I'm a developer and I have many apps and dev tools installed, so things might be complicated but I think I do have enough knowings on Win XP and hardware, and to hope that I am able to provide precise information for assistance.

David


DDS (Ver_09-01-07.01) - NTFSx86
Run by im_chc at 16:32:18.42 on 13/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.2303.1012 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\MobaSSH.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\MrPostman\wrapper\wrapper.exe
C:\Program Files\Java\jre1.5.0_06\bin\java.exe
D:\My Documents\My Downloads\XYNTServiceProject\XYNTService.exe
C:\Program Files\Subversion\bin\svnserve.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SourceOffSite Server\SosService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\bsh\usr\sbin\sshd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
D:\My Documents\My Downloads\CopyHandler\ch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\GiPo@Utilities\DesktopUtilities.3\m2tray.exe
C:\Program Files\GiPo@Utilities\DesktopUtilities.3\winman.en.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\KeePass Password Safe\KeePass.exe
E:\program files\steam\steam.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\HKO\WeatherWizard\toolbar.exe
C:\Program Files\Clock\clock.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\FSL\FSL_Launcher\FSL_Launcher.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\conime.exe
D:\My Documents\My Downloads\remark.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Documents and Settings\im_chc\Start Menu\Programs\Startup\taskmgr.exe
C:\Program Files\Organizer\Organizer.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
C:\Program Files\VirtuaWin\modules\i-conized.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Quest Software\Toad for Oracle\TOAD.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\logon.scr
D:\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program

files\icqtoolbar\toolbaru.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program

files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!

\companion\installs\cpn1\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp

toolbar\winamptb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8

\avgssie.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8

\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google

notebook\gnotes1.0.2.19--1489659958.dll
BHO: {D7515C61-A66C-4319-A0E0-D416CB8059E3} - No File
BHO: Loader Class: {f880a4a8-c436-4ac4-afd1-aa0bdc9552dd} - d:\my documents\my

downloads\findexer nightly v1.1.0.3\FindeXer.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!

\companion\installs\cpn1\YTSingleInstance.dll
TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program

files\icqtoolbar\toolbaru.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\googletoolbar1.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\progra~1\zend\zendst~1.0

\bin\ZENDIE~1.DLL
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google

notebook\gnotes1.0.2.19--1489659958.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!

\companion\installs\cpn1\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8

\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program

files\orbitdownloader\GrabPro.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp

toolbar\winamptb.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {76222034-5CFA-4A43-AADE-1E5DACB71469} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google

notebook\gnotes1.0.2.19--1489659958.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: FindeXer: {377d8121-efaa-4d1c-981b-8bfad9f10de3} - d:\my documents\my downloads\findexer

nightly v1.1.0.3\FindeXer.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [KeePass Password Safe] "c:\program files\keepass password safe\KeePass.exe"
uRun: [Steam] "e:\program files\steam\steam.exe" -silent
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [LightScribe Control Panel] c:\program files\common

files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PPHIDPAD] c:\winpenjr\win32\pphidpad.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Google Desktop Search] "c:\program files\google\google desktop

search\GoogleDesktop.exe" /startup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server

Interface.exe"
mRun: [ICQ Lite] ; "c:\program files\icqlite\ICQLite.exe" -minimize
mRun: [FixCamera] ;c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Copy Handler] d:\my documents\my downloads\copyhandler\ch.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [m2tray] c:\program files\gipo@utilities\desktoputilities.3\m2tray.exe /s
mRun: [WindowManager] c:\program files\gipo@utilities\desktoputilities.3\winman.en.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\clock.lnk - c:\program

files\clock\clock.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\fsllau~1.lnk - c:\program

files\fsl\fsl_launcher\FSL_Launcher.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\google~1.lnk - c:\program

files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\launchy.lnk - c:\program

files\launchy\Launchy.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\monito~1.lnk - c:\program

files\apache group\apache2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\mrpost~1.lnk - d:\program

files\mrpostman\run.bat
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\mybook~1.lnk - d:\my documents\my

downloads\remark.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\servic~1.lnk - c:\program

files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\shortc~1.lnk - d:\my documents\my

notes\standard toolbox\simple_winbind.ahk
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\speedfan.lnk - c:\program

files\speedfan\speedfan.exe
StartupFolder: c:\documents and settings\im_chc\start menu\programs\startup\taskmgr.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\totalo~1.lnk - c:\program

files\organizer\Organizer.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\virtua~1.lnk - c:\program

files\virtuawin\VirtuaWin.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\xplorer2.lnk - c:\program

files\zabkat\xplorer2_lite\xplorer2_lite.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program

files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program

files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program

files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program

files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sticki~1.lnk - c:\program

files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\香港天~1.lnk -

c:\windows\installer\{59ab7c01-b31d-424f-88c1-83900495aa7e}\_4E76F09337AD1DF738C9BC.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp

toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to AD Black List
IE: Block All Images from the Same Server
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Highlight
IE: Note this (Google Notebook) - c:\program files\google\google notebook\gnotes1.0.2.19--

1489659958.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\google\google notebook\gnotes1.0.2.19

--1489659958.dll/gn_menu2.html
IE: Open All Links in This Page...
IE: Open In New Avant Browser
IE: RoboForm
IE: Search
IE: Zend Studio - Debug current page - c:\program files\zend\zendstudio-5.5.0

\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\zend\zendstudio-5.5.0

\bin\ZendIEToolbar.dll/DebugNext.html
IE: 儲存表格
IE: 加到廣告黑名單 - c:\program files\avant browser\AddToADBlackList.htm
IE: 在新的 Avant Browser 開啟 - c:\program files\avant browser\OpenInNewBrowser.htm
IE: 填表
IE: 搜尋 - c:\program files\avant browser\Search.htm
IE: 自訂功能表
IE: 開啟此網頁中所有的連結... - c:\program files\avant browser\OpenAllLinks.htm
IE: 阻擋所有來自這個伺服器的圖片 - c:\program files\avant browser\AddAllToADBlackList.htm
IE: 高亮度標記 - c:\program files\avant browser\Highlight.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} -

c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} -

c:\program files\eltima software\flash decompiler trillix\saveflash\iebt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} -

c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
Trusted Zone: My Documents
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program

files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8

\avgpp.dll
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1

\RNetPin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1

\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,avgrsstx.dll c:\progra~1

\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32

\WPDShServiceObj.dll
SEH: {0EA12C16-CDEF-6AC1-236E-CD3FE82F5213} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\im_chc\applic~1\mozilla\firefox\profiles\q8mo25ud.profile2\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-

8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\im_chc\application

data\mozilla\firefox\profiles\q8mo25ud.profile2\extensions\{0b38152b-1b20-484d-a11f-

5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\documents and settings\im_chc\application

data\mozilla\firefox\profiles\q8mo25ud.profile2

\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-24

11840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25

97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32

\drivers\avgmfx86.sys [2007-1-20 26824]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2005-6-18 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2005-6-18 17216]
R3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe

[2008-12-10 24636]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys

[2008-12-24 52032]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
R3 xpvcom;XPVCOM Port;c:\windows\system32\drivers\XPVCOM.sys [2007-3-23 30032]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program

files\avira\antivir personaledition classic\sched.exe [2008-12-24 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir

personaledition classic\avguard.exe [2008-12-24 151297]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-25 231704]
R4 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2007-1-17

8568]
R4 MobaSSH1;MobaSSH;c:\windows\system32\MobaSSH.exe [2008-7-8 5862400]
R4 My_XYNT_Svc;My_XYNT_Svc;d:\my documents\my downloads\xyntserviceproject\XYNTService.exe

[2007-5-12 45056]
R4 SosSvrSvc.net;SourceOffSite 4 Server;c:\program files\sourceoffsite server\SosService.exe

[2006-9-21 167936]
R4 TDDI;TDDI;c:\windows\system32\drivers\tddi.sys [2006-10-31 46004]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\d:\my documents\winfx new\vcdrom.sys --> d:\my

documents\winfx new\VCdRom.sys [?]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe

[2006-1-25 69120]
S3 cpuz;cpuz;\??\c:\docume~1\im_chc\locals~1\temp\cpuz.sys --> c:\docume~1\im_chc\locals~1

\temp\cpuz.sys [?]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2007-1-17 11114]
S3 DWUSBDNT;DWUSBDNT;c:\windows\system32\drivers\dwusbdnt.sys [2005-9-6 16384]
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;c:\windows\microsoft.net\windows\v6.0.5070

\PresentationFontCache.exe [2005-11-6 36864]
S3 FXDRV;FXDRV;c:\program files\superutilities\Fxdrv.sys [2005-12-6 13440]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys -->

c:\windows\system32\drivers\gflmouhid.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program

files\google\google desktop search\GoogleDesktop.exe [2006-1-29 29744]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-11-4 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-11-4 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-11-4 81288]
S3 inpss;Indigo Named Pipe Sharing Service;c:\windows\microsoft.net\framework\v2.0.50215

\indigolistener.exe --> c:\windows\microsoft.net\framework\v2.0.50215\IndigoListener.exe [?]
S3 KSVI;KSVI;c:\docume~1\im_chc\locals~1\temp\ksvi.exe --> c:\docume~1\im_chc\locals~1

\temp\KSVI.exe [?]
S3 MSSQL$NEW;MSSQL$NEW;c:\program files\microsoft sql server\mssql$new\binn\sqlservr.exe

[2005-5-4 9154560]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-6-18 32512]
S3 OracleClientCache80;OracleClientCache80;e:\oracle\product\oraclient8dscvr4\bin\ONRSD80.EXE

[2001-5-17 101136]
S3 OracleCSService;OracleCSService;e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service -->

e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service [?]
S3

OracleOraClient9XXClientCache;OracleOraClient9XXClientCache;e:\oracle\product\9.x.x\client_1

\bin\ONRSD.EXE [2002-4-26 242328]
S3

OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;e:\oracle\pr

oduct\10.1.0\db_1\bin\encsvc.exe [2006-7-18 187392]
S3

OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;e:\oracle\prod

uct\10.1.0\db_1\bin\agntsvc.exe [2006-7-18 254464]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;e:\oracle\product\10.1.0

\db_1\bin\tnslsnr --> e:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S3

OracleOraDb10g_home2_DEVSUITEClientCache;OracleOraDb10g_home2_DEVSUITEClientCache;e:\oracle\pr

oduct\10.1.0\db_devsuite\bin\ONRSD.EXE [2007-8-12 426300]
S3 OracleServiceORCL;OracleServiceORCL;e:\oracle\product\10.1.0\db_1\bin\oracle.exe orcl -->

e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL [?]
S3 PORTMON;PORTMON;\??\d:\my documents\my downloads\portmon\portmsys.sys --> d:\my

documents\my downloads\portmon\PORTMSYS.SYS [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32

\drivers\PsSdk30.drv [?]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2007-1-17

15360]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008

-4-3 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-

4-3 1079176]
S3 SORLP;SORLP;c:\docume~1\im_chc\locals~1\temp\sorlp.exe --> c:\docume~1\im_chc\locals~1

\temp\SORLP.exe [?]
S3 SQLAgent$NEW;SQLAgent$NEW;c:\program files\microsoft sql server\mssql$new\binn\sqlagent.EXE

[2005-5-3 323584]
S3 SRSTL_MBRUD;Tom Lee ShopRetailSystem Member UpDown Grade;d:\my documents\visual studio

projects\shopretailsystem-

tl\tomlee_memberupdownservice\bin\debug\TomLee_MemberUpDownService.exe [2007-3-26 102400]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-11 280344]
S3 VYVLOFARFWGCE;VYVLOFARFWGCE;c:\docume~1\im_chc\locals~1\temp\vyvlofarfwgce.exe -->

c:\docume~1\im_chc\locals~1\temp\VYVLOFARFWGCE.exe [?]
S4 dtr;dtr;c:\windows\dtr.exe --> c:\windows\dtr.exe [?]
S4 DWUSBDRV;DWUSBDRV.sys digit@lway USB driver;c:\windows\system32\drivers\dwusbdrv.sys -->

c:\windows\system32\drivers\DWUSBDRV.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8

\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;e:\oracle\product\10.1.0\db_1\bin\extjob.exe

orcl --> e:\oracle\product\10.1.0\db_1\bin\extjob.exe ORCL [?]
S4

OracleOraDb10g_home1TNSListenerLISTENER_2ND;OracleOraDb10g_home1TNSListenerLISTENER_2ND;e:\ora

cle\product\10.1.0\db_1\bin\tnslsnr --> e:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 OssecSvc;OSSEC Hids;c:\program files\ossec-agent\ossec-agent.exe [2008-10-9 438906]
S4 VPCAppSv;Virtual PC Application Services;c:\windows\system32\drivers\VPCAppSv.sys [2002-5-

20 10374]
S4 Windows ServerDtr;Windows ServerDtr;c:\program files\common files\microsoft

shared\msinfo\serverdtr.exe --> c:\program files\common files\microsoft

shared\msinfo\ServerDtr.exe [?]

============== File Associations ===============

txtfile\shell\edit_with_syn\command=c:\program files\syn\syn.exe "%1"

=============== Created Last 30 ================

2009-01-04 20:11 <DIR> --d----- c:\program files\Winamp Toolbar
2009-01-04 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar
2009-01-04 17:18 <DIR> --d----- c:\program files\lbreakout2
2008-12-28 00:54 <DIR> --d----- c:\program files\Apache Software Foundation
2008-12-26 19:51 11,776 a------- c:\windows\system32\canton_i.IME
2008-12-26 19:47 105,630 a------- c:\windows\system32\canto.TBL
2008-12-26 19:47 11,776 a------- c:\windows\system32\canton.IME
2008-12-26 19:47 216 a------- c:\windows\system32\cantoPHR.TBL
2008-12-26 19:47 120 a------- c:\windows\system32\cantoPTR.TBL
2008-12-26 16:54 <DIR> --d----- c:\docume~1\im_chc\applic~1\SendSpace Wizard
2008-12-26 16:54 <DIR> --d----- c:\program files\SendSpace
2008-12-26 14:10 <DIR> --d----- c:\windows\system32\%
2008-12-26 14:07 73,728 ac------ c:\windows\system32\dllcache\w3ext.dll
2008-12-26 13:51 31,744 ac------ c:\windows\system32\dllcache\fxsroute.dll
2008-12-26 13:51 11,264 ac------ c:\windows\system32\dllcache\fxssend.exe
2008-12-26 13:51 31,744 a------- c:\windows\system32\fxsroute.dll
2008-12-26 13:51 11,264 a------- c:\windows\system32\fxssend.exe
2008-12-26 13:51 132,608 ac------ c:\windows\system32\dllcache\fxsclntr.dll
2008-12-26 13:51 111,104 ac------ c:\windows\system32\dllcache\fxscfgwz.dll
2008-12-26 13:51 132,608 a------- c:\windows\system32\fxsclntR.dll
2008-12-26 13:51 111,104 a------- c:\windows\system32\fxscfgwz.dll
2008-12-26 13:51 1,793 a------- c:\windows\system32\fxsperf.ini
2008-12-26 13:51 1,361 a------- c:\windows\system32\fxscount.h
2008-12-26 13:47 <DIR> --d----- c:\windows\system32\msmq
2008-12-25 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Musicnotes
2008-12-25 21:12 <DIR> --d----- c:\program files\Musicnotes
2008-12-24 16:41 674,896 a------- C:\nautilus
2008-12-24 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-12-15 21:45 <DIR> --d----- c:\program files\ossec-agent
2008-12-14 23:35 <DIR> --d----- c:\program files\IrfanView
2008-12-14 23:32 <DIR> --d----- c:\program files\AutoHotkey
2008-12-14 23:18 <DIR> --d----- c:\program files\Clock

==================== Find3M ====================

2008-11-19 12:34 69,632 a------- c:\windows\system32\nporbit.dll
2008-11-13 01:08 681 a------- c:\documents and

settings\im_chc\connections.dat
2008-11-02 12:26 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-02 12:26 114,688 a------- c:\windows\system32\OpenAL32.dll
2008-10-23 20:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-22 01:45 262,144 a------- c:\windows\system32\default_user_class.dat
2008-10-18 17:15 6,352 a------- c:\windows\system32\tmp.reg
2008-10-17 04:38 826,368 a------- c:\windows\system32\wininet.dll
2006-03-15 17:03 90 a------- c:\documents and settings\im_chc\godir.bat
1996-11-21 13:36 36,112 a------- c:\documents and settings\im_chc\DMACHECK.EXE

============= FINISH: 16:36:36.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 26 January 2009 - 03:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

When posting logs, please make sure Word Wrap in Notepad is unchecked.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 im_chc

im_chc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 29 January 2009 - 02:35 AM

Thanks for your help!

Installed new software:
Driver of TP-Link USB wireless adapter
XLink kai
Deskpins
Malwarebytes' Anti-Malware
Dorgem

For symptoms, I think it's pretty much the same, memory is still being eaten up, for the IE/Firefox problem (easily use 150+mb memory), I think it might be due to the AVG link scanner, so I turned it off, but I'm not sure if it helps.

Regards,
David


DDS (Ver_09-01-07.01) - NTFSx86
Run by im_chc at 1:51:43.14 on 29/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.2303.1082 [GMT 8:00]

AV: AVG AntiiVirus Free *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\MobaSSH.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\MrPostman\wrapper\wrapper.exe
D:\My Documents\My Downloads\XYNTServiceProject\XYNTService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Java\jre1.5.0_06\bin\java.exe
C:\Program Files\Subversion\bin\svnserve.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SourceOffSite Server\SosService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\bsh\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
D:\My Documents\My Downloads\CopyHandler\ch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\GiPo@Utilities\DesktopUtilities.3\m2tray.exe
C:\Program Files\GiPo@Utilities\DesktopUtilities.3\winman.en.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\KeePass Password Safe\KeePass.exe
E:\program files\steam\steam.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
C:\Program Files\HKO\WeatherWizard\toolbar.exe
C:\Program Files\Clock\clock.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\FSL\FSL_Launcher\FSL_Launcher.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\My Documents\My Downloads\remark.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Documents and Settings\im_chc\Start Menu\Programs\Startup\taskmgr.exe
C:\Program Files\Organizer\Organizer.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
C:\Program Files\VirtuaWin\modules\i-conized.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\DOCUME~1\im_chc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\im_chc\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
D:\My Documents\My Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19--1489659958.dll
BHO: {D7515C61-A66C-4319-A0E0-D416CB8059E3} - No File
BHO: Loader Class: {f880a4a8-c436-4ac4-afd1-aa0bdc9552dd} - d:\my documents\my downloads\findexer nightly v1.1.0.3\FindeXer.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--1489659958.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {76222034-5CFA-4A43-AADE-1E5DACB71469} - No File
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19--1489659958.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: FindeXer: {377d8121-efaa-4d1c-981b-8bfad9f10de3} - d:\my documents\my downloads\findexer nightly v1.1.0.3\FindeXer.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [KeePass Password Safe] "c:\program files\keepass password safe\KeePass.exe"
uRun: [Steam] "e:\program files\steam\steam.exe" -silent
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PPHIDPAD] c:\winpenjr\win32\pphidpad.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
mRun: [ICQ Lite] ; "c:\program files\icqlite\ICQLite.exe" -minimize
mRun: [FixCamera] ;c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Copy Handler] d:\my documents\my downloads\copyhandler\ch.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [m2tray] c:\program files\gipo@utilities\desktoputilities.3\m2tray.exe /s
mRun: [WindowManager] c:\program files\gipo@utilities\desktoputilities.3\winman.en.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\clock.lnk - c:\program files\clock\clock.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\deskpins.lnk - c:\program files\deskpins\DeskPins.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\fsllau~1.lnk - c:\program files\fsl\fsl_launcher\FSL_Launcher.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\monito~1.lnk - c:\program files\apache group\apache2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\mrpost~1.lnk - d:\program files\mrpostman\run.bat
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\mybook~1.lnk - d:\my documents\my downloads\remark.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\shortc~1.lnk - d:\my documents\my notes\standard toolbox\simple_winbind.ahk
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\documents and settings\im_chc\start menu\programs\startup\taskmgr.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\totalo~1.lnk - c:\program files\organizer\Organizer.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\virtua~1.lnk - c:\program files\virtuawin\VirtuaWin.exe
StartupFolder: c:\docume~1\im_chc\startm~1\programs\startup\xplorer2.lnk - c:\program files\zabkat\xplorer2_lite\xplorer2_lite.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sticki~1.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tl-wn3~1.lnk - c:\program files\tp-link\tl-wn321g wireless utility\installer\winxp\TWCU.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\香港天~1.lnk - c:\windows\installer\{59ab7c01-b31d-424f-88c1-83900495aa7e}\_4E76F09337AD1DF738C9BC.exe
uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to AD Black List
IE: Block All Images from the Same Server
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Highlight
IE: Open All Links in This Page...
IE: Open In New Avant Browser
IE: RoboForm
IE: Search
IE: Zend Studio - Debug current page - c:\program files\zend\zendstudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\zend\zendstudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
IE: 儲存表格
IE: 加到廣告黑名單 - c:\program files\avant browser\AddToADBlackList.htm
IE: 在新的 Avant Browser 開啟 - c:\program files\avant browser\OpenInNewBrowser.htm
IE: 填表
IE: 搜尋 - c:\program files\avant browser\Search.htm
IE: 自訂功能表
IE: 開啟此網頁中所有的連結... - c:\program files\avant browser\OpenAllLinks.htm
IE: 阻擋所有來自這個伺服器的圖片 - c:\program files\avant browser\AddAllToADBlackList.htm
IE: 高亮度標記 - c:\program files\avant browser\Highlight.htm
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\program files\eltima software\flash decompiler trillix\saveflash\iebt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} - c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: My Documents
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1\RNetPin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {0EA12C16-CDEF-6AC1-236E-CD3FE82F5213} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\im_chc\applic~1\mozilla\firefox\profiles\q8mo25ud.profile2\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-24 11840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-20 27656]
R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2005-6-18 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2005-6-18 17216]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-24 52032]
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\im_chc\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-1-29 70144]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
R3 xpvcom;XPVCOM Port;c:\windows\system32\drivers\XPVCOM.sys [2007-3-23 30032]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-12-24 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-12-24 151297]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-28 298264]
R4 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2007-1-17 8568]
R4 MobaSSH1;MobaSSH;c:\windows\system32\MobaSSH.exe [2008-7-8 5862400]
R4 My_XYNT_Svc;My_XYNT_Svc;d:\my documents\my downloads\xyntserviceproject\XYNTService.exe [2007-5-12 45056]
R4 SosSvrSvc.net;SourceOffSite 4 Server;c:\program files\sourceoffsite server\SosService.exe [2006-9-21 167936]
R4 TDDI;TDDI;c:\windows\system32\drivers\tddi.sys [2006-10-31 46004]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\d:\my documents\winfx new\vcdrom.sys --> d:\my documents\winfx new\VCdRom.sys [?]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2006-1-25 69120]
S3 cpuz;cpuz;\??\c:\docume~1\im_chc\locals~1\temp\cpuz.sys --> c:\docume~1\im_chc\locals~1\temp\cpuz.sys [?]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2007-1-17 11114]
S3 DWUSBDNT;DWUSBDNT;c:\windows\system32\drivers\dwusbdnt.sys [2005-9-6 16384]
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;c:\windows\microsoft.net\windows\v6.0.5070\PresentationFontCache.exe [2005-11-6 36864]
S3 FXDRV;FXDRV;c:\program files\superutilities\Fxdrv.sys [2005-12-6 13440]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys --> c:\windows\system32\drivers\gflmouhid.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-1-29 29744]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-11-4 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-11-4 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-11-4 81288]
S3 inpss;Indigo Named Pipe Sharing Service;c:\windows\microsoft.net\framework\v2.0.50215\indigolistener.exe --> c:\windows\microsoft.net\framework\v2.0.50215\IndigoListener.exe [?]
S3 KSVI;KSVI;c:\docume~1\im_chc\locals~1\temp\ksvi.exe --> c:\docume~1\im_chc\locals~1\temp\KSVI.exe [?]
S3 MSSQL$NEW;MSSQL$NEW;c:\program files\microsoft sql server\mssql$new\binn\sqlservr.exe [2005-5-4 9154560]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-6-18 32512]
S3 OracleClientCache80;OracleClientCache80;e:\oracle\product\oraclient8dscvr4\bin\ONRSD80.EXE [2001-5-17 101136]
S3 OracleCSService;OracleCSService;e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service --> e:\oracle\product\10.1.0\db_1\bin\ocssd.exe service [?]
S3 OracleOraClient9XXClientCache;OracleOraClient9XXClientCache;e:\oracle\product\9.x.x\client_1\bin\ONRSD.EXE [2002-4-26 242328]
S3 OracleOraDb10g_home1SNMPPeerEncapsulator;OracleOraDb10g_home1SNMPPeerEncapsulator;e:\oracle\product\10.1.0\db_1\bin\encsvc.exe [2006-7-18 187392]
S3 OracleOraDb10g_home1SNMPPeerMasterAgent;OracleOraDb10g_home1SNMPPeerMasterAgent;e:\oracle\product\10.1.0\db_1\bin\agntsvc.exe [2006-7-18 254464]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;e:\oracle\product\10.1.0\db_1\bin\tnslsnr --> e:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S3 OracleOraDb10g_home2_DEVSUITEClientCache;OracleOraDb10g_home2_DEVSUITEClientCache;e:\oracle\product\10.1.0\db_devsuite\bin\ONRSD.EXE [2007-8-12 426300]
S3 OracleServiceORCL;OracleServiceORCL;e:\oracle\product\10.1.0\db_1\bin\oracle.exe orcl --> e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE ORCL [?]
S3 PORTMON;PORTMON;\??\d:\my documents\my downloads\portmon\portmsys.sys --> d:\my documents\my downloads\portmon\PORTMSYS.SYS [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-1-19 36928]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2007-1-17 15360]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-4-3 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-4-3 1079176]
S3 SORLP;SORLP;c:\docume~1\im_chc\locals~1\temp\sorlp.exe --> c:\docume~1\im_chc\locals~1\temp\SORLP.exe [?]
S3 SQLAgent$NEW;SQLAgent$NEW;c:\program files\microsoft sql server\mssql$new\binn\sqlagent.EXE [2005-5-3 323584]
S3 SRSTL_MBRUD;Tom Lee ShopRetailSystem Member UpDown Grade;d:\my documents\visual studio projects\shopretailsystem-tl\tomlee_memberupdownservice\bin\debug\TomLee_MemberUpDownService.exe [2007-3-26 102400]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-11 280344]
S3 VYVLOFARFWGCE;VYVLOFARFWGCE;c:\docume~1\im_chc\locals~1\temp\vyvlofarfwgce.exe --> c:\docume~1\im_chc\locals~1\temp\VYVLOFARFWGCE.exe [?]
S4 dtr;dtr;c:\windows\dtr.exe --> c:\windows\dtr.exe [?]
S4 DWUSBDRV;DWUSBDRV.sys digit@lway USB driver;c:\windows\system32\drivers\dwusbdrv.sys --> c:\windows\system32\drivers\DWUSBDRV.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;e:\oracle\product\10.1.0\db_1\bin\extjob.exe orcl --> e:\oracle\product\10.1.0\db_1\bin\extjob.exe ORCL [?]
S4 OracleOraDb10g_home1TNSListenerLISTENER_2ND;OracleOraDb10g_home1TNSListenerLISTENER_2ND;e:\oracle\product\10.1.0\db_1\bin\tnslsnr --> e:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 OssecSvc;OSSEC Hids;c:\program files\ossec-agent\ossec-agent.exe [2008-10-9 438906]
S4 VPCAppSv;Virtual PC Application Services;c:\windows\system32\drivers\VPCAppSv.sys [2002-5-20 10374]
S4 Windows ServerDtr;Windows ServerDtr;c:\program files\common files\microsoft shared\msinfo\serverdtr.exe --> c:\program files\common files\microsoft shared\msinfo\ServerDtr.exe [?]

============== File Associations ===============

txtfile\shell\edit_with_syn\command=c:\program files\syn\syn.exe "%1"

=============== Created Last 30 ================

2009-01-29 01:23 <DIR> --d----- C:\fsaua.data
2009-01-28 14:42 8 a------- c:\windows\system32\nvModes.dat
2009-01-28 09:14 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-26 22:06 <DIR> --d----- c:\program files\DeskPins
2009-01-22 22:34 2,201,224 a----r-- c:\windows\system32\Flash9.ocx
2009-01-19 22:39 36,928 a------- c:\windows\system32\drivers\pssdk41.sys
2009-01-19 22:39 <DIR> --d----- c:\docume~1\im_chc\applic~1\XLink Kai
2009-01-19 22:36 311,296 a------- c:\windows\system32\AegisI5.exe
2009-01-19 22:36 290,918 a------- c:\windows\system32\Install7x.dll
2009-01-19 22:36 252,928 a------- c:\windows\system32\drivers\rt73.sys
2009-01-19 22:36 245,376 a------- c:\windows\system32\drivers\rt2500usb.SYS
2009-01-19 22:36 2,048 a------- c:\windows\system32\drivers\rt73.bin
2009-01-19 22:36 138 a------- c:\windows\filespec7x
2009-01-19 22:35 20,747 a------- c:\windows\system32\drivers\AegisP.sys
2009-01-19 22:16 <DIR> --d----- c:\program files\XLink Kai
2009-01-19 22:04 <DIR> --d----- c:\program files\TP-LINK
2009-01-14 14:59 66,048 a------- C:\David, Chan Hok Ching - Resume.doc
2009-01-13 21:12 <DIR> --d----- c:\docume~1\im_chc\applic~1\Malwarebytes
2009-01-13 21:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 21:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 21:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-13 21:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 20:11 <DIR> --d----- c:\program files\Winamp Toolbar
2009-01-04 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar
2009-01-04 17:18 <DIR> --d----- c:\program files\lbreakout2

==================== Find3M ====================

2009-01-28 09:14 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-11 18:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-19 12:34 69,632 a------- c:\windows\system32\nporbit.dll
2008-11-13 01:08 681 a------- c:\documents and settings\im_chc\connections.dat
2008-11-02 12:26 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-02 12:26 114,688 a------- c:\windows\system32\OpenAL32.dll
2006-03-15 17:03 90 a------- c:\documents and settings\im_chc\godir.bat
1996-11-21 13:36 36,112 a------- c:\documents and settings\im_chc\DMACHECK.EXE

============= FINISH: 1:53:08.95 ===============

Scanning Report
Thursday, January 29, 2009 01:55:54 - 15:08:27

Computer name: NEW
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\
Result: 15 malware found
AdTool.Win32.Zango (spyware)

* System

RemoteAdmin.Win32.WinVNC (spyware)

* System

Text/BotFTP.gen (virus)

* C:\DOCUMENTS AND SETTINGS\IM_CHC\X (Submitted)

TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Adbrite (spyware)

* System

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Mediaplex (spyware)

* System

TrackingCookie.Revsci (spyware)

* System

TrackingCookie.Statcounter (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Trojan.Win32.Agent (virus)

* System

Trojan.Win32.Agent.ayed (virus)

* C:\DOCUMENTS AND SETTINGS\IM_CHC\DESKTOP\DOWNLOADS\DBUTIL.EXE

Statistics
Scanned:

* Files: 145900
* System: 11457
* Not scanned: 23

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 15
* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\UNVISE32.EXE
* C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\2312
* C:\WINDOWS\SYSTEM32\DHOST.EXE
* C:\WINDOWS\SYSTEM32\SSH_HOST_DSA_KEY
* C:\WINDOWS\SYSTEM32\SSH_HOST_KEY
* C:\WINDOWS\SYSTEM32\SSH_HOST_RSA_KEY
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\TEMP\ETILQS_NNPF7XUA3ERWILUB2PTI
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAM
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAO
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAM
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAO
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBM
* C:\DOCUMENTS AND SETTINGS\IM_CHC\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\HP
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\VIRTUAL MACHINE HELPER\NETWORK SERVICE
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1B3099C35D880F86EBBCA43670CB9560_E3ABF150-ABA9-4F93-A1EC-A239FF158F96

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 2.8.8110, 2009-01-28
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure AVP: 7.0.171, 2009-01-28

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 29 January 2009 - 07:54 AM

Hello.

There doesn't appear to be an infection. However, you have a TON of startup items. I'm not surprised you are having memory issues.

Please take a HijackThis log because DDS can't remove the entries.

Download, Install, and Save Log with HijackThis
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Do a System Scan and Save a Log File.
  • The scan will complete in a moment and the log will pop-up.
  • Copy the contents of the log into your next post.
You can refer to this animation by Billy O'Neal.

With Regards,
The Panda

#5 im_chc

im_chc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 29 January 2009 - 11:59 AM

Hi,

Yeah I know that the plenty of startup items do affect system performance, but I think that should not affect how much each application use memory... Correct me if I'm wrong.

During the first scan HJT encountered errors (two), but I was not able to capture the first error screen.

I was not sure so I ran the scan again (the dump below is this 2nd scan), but this time no more errors. Attached the error msgs here as a word file. The 1st missed error is similar to the 2nd one in the word file (i.e. both are "submit error" dialogs).

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:50:26, on 30/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\MobaSSH.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\MrPostman\wrapper\wrapper.exe
D:\My Documents\My Downloads\XYNTServiceProject\XYNTService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Java\jre1.5.0_06\bin\java.exe
C:\Program Files\Subversion\bin\svnserve.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SourceOffSite Server\SosService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\bsh\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
D:\My Documents\My Downloads\CopyHandler\ch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\GiPo@Utilities\DesktopUtilities.3\m2tray.exe
C:\Program Files\GiPo@Utilities\DesktopUtilities.3\winman.en.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\KeePass Password Safe\KeePass.exe
E:\program files\steam\steam.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
C:\Program Files\HKO\WeatherWizard\toolbar.exe
C:\Program Files\Clock\clock.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\FSL\FSL_Launcher\FSL_Launcher.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\My Documents\My Downloads\remark.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Organizer\Organizer.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HKO\WeatherWizard\toolbar.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\My Documents\Visual Studio Projects\AutoSend\Main\bin\Main.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\winamp toolbar\WinampTbServer.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\VirtuaWin\modules\i-conized.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 63.208.197.211 ssl-14.hamachi.cc
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1489659958.dll
O2 - BHO: (no name) - {D7515C61-A66C-4319-A0E0-D416CB8059E3} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - D:\My Documents\My Downloads\FindeXer Nightly V1.1.0.3\FindeXer.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1489659958.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [ICQ Lite] ; "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [FixCamera] ;C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [Copy Handler] D:\My Documents\My Downloads\CopyHandler\ch.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [m2tray] C:\Program Files\GiPo@Utilities\DesktopUtilities.3\m2tray.exe /s
O4 - HKLM\..\Run: [WindowManager] C:\Program Files\GiPo@Utilities\DesktopUtilities.3\winman.en.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [KeePass Password Safe] "C:\Program Files\KeePass Password Safe\KeePass.exe"
O4 - HKCU\..\Run: [Steam] "e:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [ezHelper] "C:\Program Files\ezHelper\ezHelper.exe" 300 (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'cnki')
O4 - HKUS\S-1-5-21-839522115-1336601894-725345543-1013\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot (User 'cnki')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-839522115-1336601894-725345543-1013 Startup: ICQ 5.1.lnk = C:\Program Files\ICQLite\ICQLite.exe (User 'cnki')
O4 - S-1-5-21-839522115-1336601894-725345543-1013 User Startup: ICQ 5.1.lnk = C:\Program Files\ICQLite\ICQLite.exe (User 'cnki')
O4 - Startup: Clock.lnk = C:\Program Files\Clock\clock.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Startup: FSL Launcher.lnk = C:\Program Files\FSL\FSL_Launcher\FSL_Launcher.exe
O4 - Startup: Google 更新器.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: MrPostman.lnk = D:\Program Files\MrPostman\run.bat
O4 - Startup: MyBookmarks.com Remark.lnk = ?
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: Shortcut to simple_winbind.lnk = My Notes\Standard Toolbox\simple_winbind.ahk
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: taskmgr.exe
O4 - Startup: Total Organizer.lnk = C:\Program Files\Organizer\Organizer.exe
O4 - Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
O4 - Startup: xplorer2.lnk = C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Stickies Startup.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: TL-WN321G Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
O4 - Global Startup: 香港天文台天氣精靈.lnk = ?SystemRoot%\Installer\{59AB7C01-B31D-424F-88C1-83900495AA7E}\_4E76F09337AD1DF738C9BC.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
O8 - Extra context menu item: 加到廣告黑名單 - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: 在新的 Avant Browser 開啟 - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: 搜尋 - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: 開啟此網頁中所有的連結... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: 阻擋所有來自這個伺服器的圖片 - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: 高亮度標記 - C:\Program Files\Avant Browser\Highlight.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (HKCU)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33527649-30BB-4C61-9D70-638D64A6670E} (LaunchLFO Control) - http://www.littlefighteronline.com/hk/yahoo_hk/LaunchLFO.ocx
O16 - DPF: {3D553595-4369-4F5D-AEF0-55B27550DE94} (OrbitDownloader Class) - http://update.orbitplatform.com/OrbitDownloader.1.0.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224309153953
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://new/VirtualServer/activex/VMRCActiveXClient.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://hokching.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C4C9F1E5-2E72-4B58-BA61-6D63730FB7C8} (ActiveQueryBuilderX Control) - http://www.activequerybuilder.com/files/aqbx.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://erp01.gaslhk.com:8004/discwb4/jinit/oajinit.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: libdprin - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: FreeSSHDService - Unknown owner - C:\Program Files\freeSSHd\FreeSSHDService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Indigo Named Pipe Sharing Service (inpss) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\IndigoListener.exe (file missing)
O23 - Service: KSVI - Unknown owner - C:\DOCUME~1\im_chc\LOCALS~1\Temp\KSVI.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobaSSH (MobaSSH1) - http://www.mobatek.net - C:\WINDOWS\system32\MobaSSH.exe
O23 - Service: MrPostman - Unknown owner - D:\Program Files\MrPostman\wrapper\wrapper.exe
O23 - Service: My_XYNT_Svc - Unknown owner - D:\My Documents\My Downloads\XYNTServiceProject\XYNTService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: OracleClientCache80 - Unknown owner - E:\Oracle\product\OraClient8DSCVR4\BIN\ONRSD80.EXE
O23 - Service: OracleCSService - Unknown owner - E:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - E:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - E:\oracle\product\10.1.0\Db_DEVSUITE\bin\omtsreco.exe
O23 - Service: OracleOraClient9XXClientCache - Unknown owner - E:\Oracle\product\9.X.X\Client_1\BIN\ONRSD.EXE
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - E:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - E:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - E:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - E:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleOraDb10g_home1TNSListenerLISTENER_2ND - Unknown owner - E:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleOraDb10g_home2_DEVSUITEClientCache - Unknown owner - E:\oracle\product\10.1.0\Db_DEVSUITE\BIN\ONRSD.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - e:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: OSSEC Hids (OssecSvc) - Unknown owner - C:\Program Files\ossec-agent\ossec-agent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SORLP - Unknown owner - C:\DOCUME~1\im_chc\LOCALS~1\Temp\SORLP.exe (file missing)
O23 - Service: SourceOffSite 4 Server (SosSvrSvc.net) - SourceGear Corporation - C:\Program Files\SourceOffSite Server\SosService.exe
O23 - Service: Tom Lee ShopRetailSystem Member UpDown Grade (SRSTL_MBRUD) - - d:\my documents\visual studio projects\shopretailsystem-tl\tomlee_memberupdownservice\bin\debug\tomlee_memberupdownservice.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: VYVLOFARFWGCE - Unknown owner - C:\DOCUME~1\im_chc\LOCALS~1\Temp\VYVLOFARFWGCE.exe (file missing)
O23 - Service: Windows ServerDtr - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\ServerDtr.exe (file missing)
O24 - Desktop Component 0: (no name) - http://widgets.clearspring.com/o/47c6dc950...24a5ac/cb6c9043
O24 - Desktop Component 1: (no name) - http://widgets.clearspring.com/o/47c5fe05e...e566b033aeba8b5
O24 - Desktop Component 2: (no name) - http://widgets.clearspring.com/o/471247059...Fid%2F124426%23
O24 - Desktop Component 3: (no name) - [url="http://widgets.clearspring.com/o/4712470593678979/48f0621737c4eed2/47ebeefc5c0536e5/a4c79319/-cpid/83f1ab47bc71e4e"%20id="W471247059367897948f0621737c4eed2"]http://widgets.clearspring.com/o/471247059...8f0621737c4eed2[/url]
O24 - Desktop Component 4: (no name) - http://widgets.clearspring.com/o/46d58cdbb...w/f/channel/All

--
End of file - 30926 bytes

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 29 January 2009 - 12:43 PM

Hello.

I see that you are running more than one antivirus program, AVG and Avira. It is not recommended that you do so. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Please uninstall them until you are only running one antivirus using Add/Remove Programs.
---
Let's disable some startup entries.

Before making any changes, please disable teatimer because it may interfere with HijackThis.

To disable SpyBot's TeaTimer:
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Use HijackThis to Remove Uneeded Startup Entries
Programs that run automatically at startup can take up memory, causing your computer to be slow. Many of these entries are not needed.

Below is a list of entries in your HijackThis log that can be removed safely. Below each entry, you will find a brief description of it. Some are up to preference.

To remove entries you do not want, open HijackThis, select "Do a system scan only", put a check mark next to those entries and select "Fix checked".

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
"Related to Realtek audio cards". This is not needed at startup.

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Java updater. This is not needed at startup.

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
"Associated with "Nero Burning Rom" CD writing software". This is not needed at startup.

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

Above are related to Asian character input. Unless you use that, it can be removed.

O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
PenPower Chinese handwriting recognition software. This is not needed at startup.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Related to quicktime streaming, though not needed for it to function.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"Associated with BlueTooth software" This is not needed at startup.

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
Is what it says. Not needed at startup.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
"Related to Realtek Audio Sound Manager System Tray icon for the AC97 onboard audio." Not needed at startup.

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
"RealTek High Definition audio driver related " Not needed at startup.

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
RealTek monitoring. Actually considered spyware by some. I would remove this.

O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
Not required at startup.

O4 - HKLM\..\Run: [ICQ Lite] ; "C:\Program Files\ICQLite\ICQLite.exe" -minimize
Messaging program. Not needed at startup.

O4 - HKLM\..\Run: [FixCamera] ;C:\WINDOWS\FixCamera.exe
Related to Speed S8800 USB 2.0 Webcam. Remove if you do not use it.

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

"Digital camera related."

O4 - HKLM\..\Run: [Copy Handler] D:\My Documents\My Downloads\CopyHandler\ch.exe
Not needed at startup.

O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
"IAA Event Monitor User Notification Tool - part of Intel® Application Accelerator " Not needed at startup.

O4 - HKLM\..\Run: [m2tray] C:\Program Files\GiPo@Utilities\DesktopUtilities.3\m2tray.exe /s
"GiPo@MoveToTray start point". Not needed at startup.

O4 - HKLM\..\Run: [WindowManager] C:\Program Files\GiPo@Utilities\DesktopUtilities.3\winman.en.exe

Not required at startup.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
Not required at startup.

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
"Part of the Logitech Setpoint software for their wired and wireless mice and trackballs". Not needed at startup.

O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
"Related to Yahoo! Mail Advisor ". Not needed at startup.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"Intializes the clock and memory settings on nVidia based graphics cards". Not needed at startup.

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"Associated with the newer versions of nVidia graphics cards drivers". Not needed at startup.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Makes Adobe Reader open faster. Not needed at startup.

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
"Related to Winamp_Agent from Nullsoft.com " Not needed at startup.

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
"Active sync for use with Windows CE based palm PC". Not needed at startup.

O4 - HKCU\..\Run: [KeePass Password Safe] "C:\Program Files\KeePass Password Safe\KeePass.exe"
Not needed at startup.

O4 - HKCU\..\Run: [Steam] "e:\program files\steam\steam.exe" -silent
"Valve Software's STEAM broadband game client." Not needed at startup.

O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

Not needed at startup.

O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
"Related to Orb_Tray from InstallShield Software Corporation now owned by Macrovision". Not needed at startup.

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
Not needed at startup.

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
Not needed at startup.

All these below can go too.
O4 - Startup: Clock.lnk = C:\Program Files\Clock\clock.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Startup: FSL Launcher.lnk = C:\Program Files\FSL\FSL_Launcher\FSL_Launcher.exe
O4 - Startup: Google 更新器.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: MrPostman.lnk = D:\Program Files\MrPostman\run.bat
O4 - Startup: MyBookmarks.com Remark.lnk = ?
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: Shortcut to simple_winbind.lnk = My Notes\Standard Toolbox\simple_winbind.ahk
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: taskmgr.exe
O4 - Startup: Total Organizer.lnk = C:\Program Files\Organizer\Organizer.exe
O4 - Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
O4 - Startup: xplorer2.lnk = C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Stickies Startup.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: TL-WN321G Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
O4 - Global Startup: 香港天文台天氣精靈.lnk = ?SystemRoot%\Installer\{59AB7C01-B31D-424F-88C1-83900495AA7E}\_4E76F09337AD1DF738C9BC.exe
-----
Please post back a new HijackThis log after you have removed some of that.

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 07 February 2009 - 10:40 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users