Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant popups from both IE and Firefox


  • This topic is locked This topic is locked
8 replies to this topic

#1 oaoamate

oaoamate

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 13 February 2009 - 10:30 PM

First time posting. My brother's computer has been infected by some nasty malware. Whenever I open IE or Firefox there are popups, like stopzilla, antivirus scanner and even google. Try different antivrius programs but still couldn't fix the problem. Hopefully someone can help me. Thanks in advance!

Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17:30, on 13/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CPM63dd5d97] Rundll32.exe "c:\windows\system32\fiyamepe.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\fiyamepe.dll
O20 - Winlogon Notify: __c00338F6 - C:\WINDOWS\system32\__c00338F6.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 6154 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 15 February 2009 - 03:42 AM

Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 oaoamate

oaoamate
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 16 February 2009 - 05:30 PM

Thanks for the reply. My stupid brother is using Chinese Windows so there may be a few chinese characters in the logs, and basically they mean desktop. Here are the logs.

SDFix:


SDFix: Version 1.240
Run by Administrator on Mon 16/02/2009 at 16:34

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WINDOW~1.EXE - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 16:50:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Kevin\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"C:\\Documents and Settings\\grace li\\??\\utorrent.exe"="C:\\Documents and Settings\\grace li\\??\\utorrent.exe:*:Enabled:潡orrent"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:???? - Windows Messenger and Voice"
"C:\\Documents and Settings\\grace li\\??\\desk\\utorrent.exe"="C:\\Documents and Settings\\grace li\\??\\desk\\utorrent.exe:*:Enabled:潡orrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Nakido\\nakido.exe"="C:\\Program Files\\Nakido\\nakido.exe:*:Enabled:Nakido"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:潡orrent"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe:*:Enabled:NMBgMonitor"
"C:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe"="C:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe:*:Enabled:NkMonitor"
"C:\\WINDOWS\\system32\\conime.exe"="C:\\WINDOWS\\system32\\conime.exe:*:Enabled:conime"
"C:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"="C:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe:*:Enabled:Dot1XCfg"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\MSN Messenger\\usnsvc.exe"="C:\\Program Files\\MSN Messenger\\usnsvc.exe:*:Enabled:usnsvc"
"C:\\Program Files\\AVG\\AVG8\\avgrsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgrsx.exe:*:Enabled:avgrsx"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:rundll32"
"C:\\WINDOWS\\system32\\userinit.exe"="C:\\WINDOWS\\system32\\userinit.exe:*:Enabled:userinit"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:IEXPLORE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 11 Feb 2009 141,041 A.SH. --- "C:\WINDOWS\system32\bumizujo.dll"
Wed 11 Feb 2009 141,041 A.SH. --- "C:\WINDOWS\system32\chxasl.dll"
Tue 10 Feb 2009 142,942 A.SH. --- "C:\WINDOWS\system32\dhzqij.dll"
--- 64,704 A.SH. --- "C:\WINDOWS\system32\dijanumo.dll.tmp"
--- 63,206 A.SH. --- "C:\WINDOWS\system32\dimoburi.dll.tmp"
--- 63,715 A.SH. --- "C:\WINDOWS\system32\dumavuja.dll.tmp"
Fri 13 Feb 2009 108,278 A.SH. --- "C:\WINDOWS\system32\fiyamepe.dll"
Tue 27 Jan 2009 2,707 ..SH. --- "C:\WINDOWS\system32\gitisowe.dll"
Fri 13 Feb 2009 95,509 A.SH. --- "C:\WINDOWS\system32\hemafovi.dll"
--- 63,715 A.SH. --- "C:\WINDOWS\system32\jiwofehu.dll.tmp"
--- 64,704 A.SH. --- "C:\WINDOWS\system32\kalahavi.dll.tmp"
Thu 12 Feb 2009 110,233 A.SH. --- "C:\WINDOWS\system32\kigebele.dll"
Fri 13 Feb 2009 144,052 A.SH. --- "C:\WINDOWS\system32\kulufegi.dll"
Fri 13 Feb 2009 144,052 A.SH. --- "C:\WINDOWS\system32\lyegik.dll"
Sat 7 Feb 2009 140,423 A..H. --- "C:\WINDOWS\system32\ndjboh.dll"
--- 63,715 A.SH. --- "C:\WINDOWS\system32\peyumupo.dll.tmp"
--- 63,206 A.SH. --- "C:\WINDOWS\system32\ravuhavu.dll.tmp"
Tue 10 Feb 2009 142,942 A.SH. --- "C:\WINDOWS\system32\sakabuji.dll"
--- 63,206 A.SH. --- "C:\WINDOWS\system32\segorado.dll.tmp"
Thu 12 Feb 2009 144,056 A.SH. --- "C:\WINDOWS\system32\uizvzm.dll"
--- 64,704 A.SH. --- "C:\WINDOWS\system32\vovugesi.dll.tmp"
Thu 12 Feb 2009 144,056 A.SH. --- "C:\WINDOWS\system32\zugahohe.dll"
Fri 23 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 2 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 14 Dec 2001 630,272 A..H. --- "C:\Documents and Settings\grace li\My Documents\Install\~WRL1744.tmp"
Mon 22 Oct 2001 81,408 A..H. --- "C:\Documents and Settings\grace li\My Documents\Install\~WRL2386.tmp"
Sat 13 Dec 2008 749,504 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\79e122a95a01a4aa6a35444ab9d160eb\BIT1.tmp"

Finished!

Attached Files



#4 oaoamate

oaoamate
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 16 February 2009 - 05:33 PM

Actually there are more Chinese characters, but they should mean the same thing as in the other logs, just replaced by Chinese characters.

ComboFix:

ComboFix 09-02-15.01 - Kevin 2009-02-16 17:05:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.1.1028.18.1014.639 [GMT -5:00]
執行位置: c:\documents and settings\Kevin\桌面\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Kevin\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\grace li\Application Data\gadcom
c:\documents and settings\grace li\Local Settings\Temporary Internet Files\fbk.sts
C:\mimic.log
c:\windows\system32\__c00338F6.dat
c:\windows\system32\__c0070C21.exe
c:\windows\system32\__c0077A24.dat
c:\windows\system32\bumizujo.dll
c:\windows\system32\chxasl.dll
c:\windows\system32\dhzqij.dll
c:\windows\system32\dijanumo.dll.tmp
c:\windows\system32\dimoburi.dll.tmp
c:\windows\system32\dllcache\http.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaxegvavyj.sys
c:\windows\system32\dumavuja.dll.tmp
c:\windows\system32\fiyamepe.dll
c:\windows\system32\h20FrdRt.exe.a_a
c:\windows\system32\hemafovi.dll
c:\windows\system32\jihkknpo.ini
c:\windows\system32\jihkknpo.ini2
c:\windows\system32\jiwofehu.dll.tmp
c:\windows\system32\kalahavi.dll.tmp
c:\windows\system32\kigebele.dll
c:\windows\system32\kulufegi.dll
c:\windows\system32\lyegik.dll
c:\windows\system32\ndjboh.dll
c:\windows\system32\peyumupo.dll.tmp
c:\windows\system32\PYIjPqru.ini
c:\windows\system32\PYIjPqru.ini2
c:\windows\system32\ravuhavu.dll.tmp
c:\windows\system32\sakabuji.dll
c:\windows\system32\segorado.dll.tmp
c:\windows\system32\senekaqchksubr.dll
c:\windows\system32\senekayirvakvp.dll
c:\windows\system32\Sv3jHmbV.exe.a_a
c:\windows\system32\uizvzm.dll
c:\windows\system32\vovugesi.dll.tmp
c:\windows\system32\zugahohe.dll
c:\windows\Tasks\ffsvlpdd.job
c:\windows\Tasks\wgsdcewv.job
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_TDSSSERV


((((((((((((((((((((((((( 2009-01-16 至 2009-02-16 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-02-16 16:27 . 2009-02-16 16:27 <DIR> d-------- c:\windows\ERUNT
2009-02-16 16:20 . 2009-02-16 16:20 <DIR> d-------- C:\SDFix
2009-02-13 18:28 . 2009-02-13 18:28 <DIR> d-------- c:\documents and settings\grace li\Application Data\vlc
2009-02-13 18:23 . 2009-02-13 21:45 1,567,362 ---hs---- c:\windows\system32\ivofameh.ini
2009-02-12 01:21 . 2009-02-13 01:22 1,671,704 ---hs---- c:\windows\system32\obopagap.ini
2009-02-11 06:29 . 2009-02-11 06:29 1,627,994 ---hs---- c:\windows\system32\ituyober.ini
2009-02-10 18:29 . 2009-02-09 23:18 1,675,275 --ahs---- c:\windows\system32\ifefawob.ini
2009-02-09 23:18 . 2009-02-09 23:18 1,675,275 ---hs---- c:\windows\system32\agimutam.ini
2009-02-08 12:32 . 2009-02-09 23:18 1,675,275 ---hs---- c:\windows\system32\eloguhit.ini
2009-02-07 18:24 . 2009-02-07 22:42 1,668,904 ---hs---- c:\windows\system32\ivebejit.ini
2009-02-07 00:00 . 2009-02-07 00:00 1,668,896 ---hs---- c:\windows\system32\onofafan.ini
2009-02-04 00:08 . 2009-02-04 00:09 1,562,854 ---hs---- c:\windows\system32\rkpxmkrb.ini
2009-02-03 00:09 . 2009-02-03 00:09 1,541,399 ---hs---- c:\windows\system32\tuacrklk.ini
2009-02-02 00:00 . 2009-02-02 00:00 1,497,619 ---hs---- c:\windows\system32\uxnnqxxj.ini
2009-01-27 17:02 . 2009-01-27 17:02 1,496,280 ---hs---- c:\windows\system32\usekimij.ini
2009-01-27 16:52 . 2009-01-27 16:52 2,707 ---hs---- c:\windows\system32\gitisowe.dll
2009-01-27 00:11 . 2009-01-27 00:11 1,504,587 ---hs---- c:\windows\system32\ozotisuk.ini
2009-01-26 12:11 . 2009-01-26 12:46 1,504,587 ---hs---- c:\windows\system32\ewozudar.ini
2009-01-26 00:11 . 2009-01-26 00:11 1,416,602 ---hs---- c:\windows\system32\owosesag.ini
2009-01-25 05:41 . 2009-01-25 06:07 1,416,620 ---hs---- c:\windows\system32\oyamibev.ini
2009-01-23 23:26 . 2009-01-23 23:27 1,416,602 ---hs---- c:\windows\system32\ekapejon.ini
2009-01-23 01:22 . 2009-01-23 01:22 1,416,602 ---hs---- c:\windows\system32\avonagoh.ini
2009-01-23 00:22 . 2009-01-23 00:23 1,416,602 ---hs---- c:\windows\system32\ubujavif.ini
2009-01-21 22:55 . 2009-01-21 22:59 1,416,602 ---hs---- c:\windows\system32\efarobuj.ini
2009-01-20 18:11 . 2009-01-20 18:11 120 ---hs---- c:\windows\system32\iyisoyay.ini
2009-01-20 00:38 . 2009-01-20 18:11 1,414,734 ---hs---- c:\windows\system32\avunetaf.ini
2009-01-19 23:38 . 2009-01-19 23:38 1,389,824 ---hs---- c:\windows\system32\akutihuy.ini
2009-01-19 03:34 . 2009-01-19 03:35 1,386,462 ---hs---- c:\windows\system32\inasetin.ini
2009-01-18 01:13 . 2009-01-18 01:13 1,386,462 ---hs---- c:\windows\system32\onisonib.ini
2009-01-17 01:10 . 2009-01-17 01:10 1,386,440 ---hs---- c:\windows\system32\ehulevez.ini
2009-01-17 00:11 . 2009-01-17 00:11 1,386,440 ---hs---- c:\windows\system32\ivabevar.ini
2009-01-16 00:17 . 2009-01-16 00:17 1,359,693 ---hs---- c:\windows\system32\amamuyep.ini

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 06:57 --------- d-----w c:\documents and settings\grace li\Application Data\uTorrent
2009-02-13 23:25 --------- d-----w c:\documents and settings\grace li\Application Data\dvdcss
2009-02-05 02:13 --------- d-----w c:\documents and settings\Kevin\Application Data\SUPERAntiSpyware.com
2009-02-05 02:12 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-30 04:39 --------- d-----w c:\documents and settings\grace li\Application Data\U3
2009-01-14 19:19 --------- d-----w c:\documents and settings\Kevin\Application Data\vlc
2009-01-14 19:19 --------- d-----w c:\documents and settings\Kevin\Application Data\dvdcss
2009-01-14 19:15 --------- d-----w c:\program files\Symantec
2009-01-14 19:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-14 18:57 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-14 18:57 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-14 18:57 --------- d-----w c:\program files\AVG
2009-01-14 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-14 18:52 --------- d-----w c:\program files\Norton AntiVirus
2009-01-14 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-12 18:45 --------- d-----w c:\documents and settings\Guest\Application Data\InterVideo
2009-01-10 10:08 --------- d-----w c:\documents and settings\grace li\Application Data\SUPERAntiSpyware.com
2009-01-07 04:56 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-05-29 04:15 129,760 -c--a-w c:\program files\mp3DirectCut.zip
2008-09-03 02:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080901\index.dat
2008-09-03 03:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
2008-09-04 03:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
2008-09-04 04:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
2008-09-06 03:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
2008-09-07 03:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
2008-09-07 06:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 53248]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-27 602182]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2003-07-14 63040]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2003-07-14 95296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-04 667718]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-09 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-14 1261336]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 c:\windows\agrsmmsg.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9b.exe" [2006-12-06 190072]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-01-20 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-15 05:54 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a--c--- 2004-08-22 04:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-12-18 00:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-09 13:18 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WmdmPmSN"=3 (0x3)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"Irmon"=2 (0x2)
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"ThpSrv"=thpsrv /logon
"TMERzCtl.EXE"=c:\program files\TOSHIBA\TME3\TMERzCtl.EXE /Service
"TMESRV.EXE"=c:\program files\TOSHIBA\TME3\TMESRV31.EXE /Logon
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\grace li\\桌面\\utorrent.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe"=
"c:\\WINDOWS\\system32\\conime.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-09-26 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-14 97928]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2006-01-20 5888]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-14 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-14 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-14 76040]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [2006-01-20 126976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-01-20 35968]
S2 realplay;realplay;c:\windows\G_Server1.23.exe --> c:\windows\G_Server1.23.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f9c4ed-54eb-11db-abff-0013027323f7}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
計劃任務 文件夾 裡的內容

2009-02-12 c:\windows\Tasks\At1.job
- c:\windows\system32\h20FrdRt.exe []

2009-01-26 c:\windows\Tasks\At10.job
- c:\windows\system32\h20FrdRt.exe []

2009-01-26 c:\windows\Tasks\At11.job
- c:\windows\system32\h20FrdRt.exe []

2009-01-26 c:\windows\Tasks\At12.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-14 c:\windows\Tasks\At13.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-08 c:\windows\Tasks\At14.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-08 c:\windows\Tasks\At15.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-08 c:\windows\Tasks\At16.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-16 c:\windows\Tasks\At17.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-16 c:\windows\Tasks\At17.job
- ?:\2 []

2009-02-08 c:\windows\Tasks\At18.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At19.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At2.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-14 c:\windows\Tasks\At20.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-14 c:\windows\Tasks\At21.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-14 c:\windows\Tasks\At22.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-14 c:\windows\Tasks\At23.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-14 c:\windows\Tasks\At24.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At25.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-13 c:\windows\Tasks\At26.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At27.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-15 c:\windows\Tasks\At28.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-15 c:\windows\Tasks\At29.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At3.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At30.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-13 c:\windows\Tasks\At31.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-13 c:\windows\Tasks\At32.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-01-26 c:\windows\Tasks\At33.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-01-26 c:\windows\Tasks\At34.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-01-26 c:\windows\Tasks\At35.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-01-26 c:\windows\Tasks\At36.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At37.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-08 c:\windows\Tasks\At38.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-08 c:\windows\Tasks\At39.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-15 c:\windows\Tasks\At4.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-08 c:\windows\Tasks\At40.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-16 c:\windows\Tasks\At41.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-08 c:\windows\Tasks\At42.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-13 c:\windows\Tasks\At43.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At44.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At45.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At46.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At47.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-14 c:\windows\Tasks\At48.job
- c:\windows\system32\Sv3jHmbV.exe []

2009-02-15 c:\windows\Tasks\At5.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At6.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At7.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-13 c:\windows\Tasks\At8.job
- c:\windows\system32\h20FrdRt.exe []

2009-01-26 c:\windows\Tasks\At9.job
- c:\windows\system32\h20FrdRt.exe []

2009-02-16 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-07-18 10:08]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c00338F6 - c:\windows\system32\__c00338F6.dat


.
------- 而外的掃描 -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = webproxy.queensu.ca:8080
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\7c71z84g.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 17:16:31
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\jadebaji.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Manual\YOUR-3C0D22373E_grace li\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0B55E802-1DFC-01C6-0000-00008D0E7F8D}]
"CheckState"=dword:00000001
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
完成時間: 2009-02-16 17:20:04 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-02-16 22:20:01

Pre-Run: 10,676,035,584 位元組可用
Post-Run: 11,274,784,768 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
403 --- E O F --- 2008-12-18 08:01:16

Attached Files



#5 oaoamate

oaoamate
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 16 February 2009 - 05:34 PM

Lastly a fresh hijackThis log, thanks again for the help:

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21:50, on 16/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: realplay - Unknown owner - C:\WINDOWS\G_Server1.23.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 5931 bytes

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 17 February 2009 - 12:14 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

ATjob::

Driver::
realplay

Rootkit::
c:\windows\G_Server1.23.exe

File::
c:\windows\G_Server1.23.exe
c:\windows\system32\ivofameh.ini
c:\windows\system32\obopagap.ini
c:\windows\system32\ituyober.ini
c:\windows\system32\ifefawob.ini
c:\windows\system32\agimutam.ini
c:\windows\system32\eloguhit.ini
c:\windows\system32\ivebejit.ini
c:\windows\system32\onofafan.ini
c:\windows\system32\rkpxmkrb.ini
c:\windows\system32\tuacrklk.ini
c:\windows\system32\uxnnqxxj.ini
c:\windows\system32\usekimij.ini
c:\windows\system32\gitisowe.dll
c:\windows\system32\ozotisuk.ini
c:\windows\system32\ewozudar.ini
c:\windows\system32\owosesag.ini
c:\windows\system32\oyamibev.ini
c:\windows\system32\ekapejon.ini
c:\windows\system32\avonagoh.ini
c:\windows\system32\ubujavif.ini
c:\windows\system32\efarobuj.ini
c:\windows\system32\iyisoyay.ini
c:\windows\system32\avunetaf.ini
c:\windows\system32\akutihuy.ini
c:\windows\system32\inasetin.ini
c:\windows\system32\onisonib.ini
c:\windows\system32\ehulevez.ini
c:\windows\system32\ivabevar.ini
c:\windows\system32\amamuyep.ini
c:\windows\system32\h20FrdRt.exe
c:\windows\system32\Sv3jHmbV.exe
c:\windows\system32\jadebaji.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 oaoamate

oaoamate
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 17 February 2009 - 03:11 PM

New ComboFix:

ComboFix 09-02-15.01 - Kevin 2009-02-17 14:50:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.1.1028.18.1014.519 [GMT -5:00]
執行位置: c:\documents and settings\Kevin\桌面\Fix\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\桌面\Fix\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* 成功創造新還原點

FILE ::
c:\windows\G_Server1.23.exe
c:\windows\system32\agimutam.ini
c:\windows\system32\akutihuy.ini
c:\windows\system32\amamuyep.ini
c:\windows\system32\avonagoh.ini
c:\windows\system32\avunetaf.ini
c:\windows\system32\efarobuj.ini
c:\windows\system32\ehulevez.ini
c:\windows\system32\ekapejon.ini
c:\windows\system32\eloguhit.ini
c:\windows\system32\ewozudar.ini
c:\windows\system32\gitisowe.dll
c:\windows\system32\h20FrdRt.exe
c:\windows\system32\ifefawob.ini
c:\windows\system32\inasetin.ini
c:\windows\system32\ituyober.ini
c:\windows\system32\ivabevar.ini
c:\windows\system32\ivebejit.ini
c:\windows\system32\ivofameh.ini
c:\windows\system32\iyisoyay.ini
c:\windows\system32\jadebaji.dll
c:\windows\system32\obopagap.ini
c:\windows\system32\onisonib.ini
c:\windows\system32\onofafan.ini
c:\windows\system32\owosesag.ini
c:\windows\system32\oyamibev.ini
c:\windows\system32\ozotisuk.ini
c:\windows\system32\rkpxmkrb.ini
c:\windows\system32\Sv3jHmbV.exe
c:\windows\system32\tuacrklk.ini
c:\windows\system32\ubujavif.ini
c:\windows\system32\usekimij.ini
c:\windows\system32\uxnnqxxj.ini
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\agimutam.ini
c:\windows\system32\akutihuy.ini
c:\windows\system32\amamuyep.ini
c:\windows\system32\avonagoh.ini
c:\windows\system32\avunetaf.ini
c:\windows\system32\efarobuj.ini
c:\windows\system32\ehulevez.ini
c:\windows\system32\ekapejon.ini
c:\windows\system32\eloguhit.ini
c:\windows\system32\ewozudar.ini
c:\windows\system32\gitisowe.dll
c:\windows\system32\ifefawob.ini
c:\windows\system32\inasetin.ini
c:\windows\system32\ituyober.ini
c:\windows\system32\ivabevar.ini
c:\windows\system32\ivebejit.ini
c:\windows\system32\ivofameh.ini
c:\windows\system32\iyisoyay.ini
c:\windows\system32\obopagap.ini
c:\windows\system32\onisonib.ini
c:\windows\system32\onofafan.ini
c:\windows\system32\owosesag.ini
c:\windows\system32\oyamibev.ini
c:\windows\system32\ozotisuk.ini
c:\windows\system32\rkpxmkrb.ini
c:\windows\system32\tuacrklk.ini
c:\windows\system32\ubujavif.ini
c:\windows\system32\usekimij.ini
c:\windows\system32\uxnnqxxj.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_REALPLAY
-------\Service_realplay


((((((((((((((((((((((((( 2009-01-17 至 2009-02-17 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-02-16 18:04 . 2009-02-16 18:04 1,374 --a------ c:\windows\imsins.BAK
2009-02-16 17:56 . 2009-02-16 17:56 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-16 17:50 . 2009-02-16 17:50 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-16 16:27 . 2009-02-16 16:27 <DIR> d-------- c:\windows\ERUNT
2009-02-16 16:20 . 2009-02-16 16:20 <DIR> d-------- C:\SDFix
2009-02-13 18:28 . 2009-02-13 18:28 <DIR> d-------- c:\documents and settings\grace li\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 06:57 --------- d-----w c:\documents and settings\grace li\Application Data\uTorrent
2009-02-13 23:25 --------- d-----w c:\documents and settings\grace li\Application Data\dvdcss
2009-02-05 02:13 --------- d-----w c:\documents and settings\Kevin\Application Data\SUPERAntiSpyware.com
2009-02-05 02:12 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-30 04:39 --------- d-----w c:\documents and settings\grace li\Application Data\U3
2009-01-14 19:19 --------- d-----w c:\documents and settings\Kevin\Application Data\vlc
2009-01-14 19:19 --------- d-----w c:\documents and settings\Kevin\Application Data\dvdcss
2009-01-14 19:15 --------- d-----w c:\program files\Symantec
2009-01-14 19:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-14 18:57 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-14 18:57 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-14 18:57 --------- d-----w c:\program files\AVG
2009-01-14 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-14 18:52 --------- d-----w c:\program files\Norton AntiVirus
2009-01-14 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-12 18:45 --------- d-----w c:\documents and settings\Guest\Application Data\InterVideo
2009-01-10 10:08 --------- d-----w c:\documents and settings\grace li\Application Data\SUPERAntiSpyware.com
2009-01-07 04:56 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2007-05-29 04:15 129,760 -c--a-w c:\program files\mp3DirectCut.zip
2008-09-03 02:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080901\index.dat
2008-09-03 03:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
2008-09-04 03:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
2008-09-04 04:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
2008-09-06 03:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
2008-09-07 03:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
2008-09-07 06:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_17.18.55.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:04:07 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:04:07 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:04:07 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:04:07 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:04:08 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:09:54 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:04:08 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:04:08 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:04:08 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:04:09 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:04:12 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:04:12 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:04:12 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:04:13 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:04:14 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:04:14 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:36:25 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:04:17 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:04:18 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:04:18 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:04:18 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:04:18 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 03:45:43 207,072 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 03:46:53 328,928 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:04:18 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:04:19 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:04:19 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:04:20 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2008-10-16 20:04:07 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 22:30:54 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:04:07 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 22:30:54 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:04:07 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 22:30:55 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:04:07 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 22:30:55 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:04:07 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 22:30:55 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:04:08 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 22:30:55 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:09:54 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:08:03 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:04:08 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 22:30:55 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:04:08 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 22:30:55 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:04:08 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 22:30:56 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:04:09 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 22:30:56 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:04:12 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 22:31:01 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:04:12 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 22:31:01 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:04:12 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 22:31:01 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:04:13 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 22:31:03 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:04:14 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 22:31:03 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:04:14 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 22:31:03 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:36:25 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:01:20 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:04:17 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 22:31:08 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:04:18 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 22:31:08 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:04:18 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 22:31:09 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:04:18 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 22:31:09 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:04:18 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 22:31:09 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-09-08 10:41:42 333,824 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-10-16 20:04:18 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 22:31:10 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:04:19 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 22:31:10 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:04:19 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 22:31:11 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:04:20 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 22:31:11 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 10:57:09 333,952 ----a-w c:\windows\system32\drivers\srv.sys
+ 2009-02-16 22:56:03 64,160 -c--a-w c:\windows\system32\DRVSTORE\lbd_923BE31CA656B1FA81A83E39136817ED80E62FB3\Lbd.sys
- 2008-10-16 20:04:07 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 22:30:55 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:04:07 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 22:30:55 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:04:07 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-12-20 22:30:55 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-10-16 20:04:08 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 22:30:55 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:09:54 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:08:03 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:04:08 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2008-12-20 22:30:55 153,088 ------w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:04:08 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2008-12-20 22:30:55 230,400 ------w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\ieakui.dll
- 2008-10-16 20:04:08 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 22:30:56 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:04:09 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 22:30:56 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:04:12 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 22:31:01 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:04:12 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-12-20 22:31:01 44,544 ------w c:\windows\system32\iernonce.dll
- 2008-10-16 20:04:12 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 22:31:01 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:04:13 27,648 ------w c:\windows\system32\jsproxy.dll
+ 2008-12-20 22:31:03 27,648 ------w c:\windows\system32\jsproxy.dll
+ 2009-02-12 01:56:18 21,244,872 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:04:14 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 22:31:03 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:04:14 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 22:31:03 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:36:25 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:01:20 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:04:17 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 22:31:08 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:04:18 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-12-20 22:31:08 193,024 ------w c:\windows\system32\msrating.dll
- 2008-10-16 20:04:18 671,232 ------w c:\windows\system32\mstime.dll
+ 2008-12-20 22:31:09 671,232 ------w c:\windows\system32\mstime.dll
- 2008-10-16 20:04:18 102,912 ------w c:\windows\system32\occache.dll
+ 2008-12-20 22:31:09 102,912 ------w c:\windows\system32\occache.dll
- 2008-10-16 20:04:18 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 22:31:09 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 12:41:03 15,224 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:59:59 15,224 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:04:18 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 22:31:10 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:04:19 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 22:31:10 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:04:19 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 22:31:11 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:04:20 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 22:31:11 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-07-29 13:05:06 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-07-29 08:54:08 225,280 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05:08 572,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 13:05:08 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 08:54:12 312,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 13:05:08 875,520 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 13:05:08 1,180,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2008-07-29 13:05:12 5,937,144 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 13:05:12 5,982,720 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 11:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2008-07-29 11:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 13:05:08 3,768,312 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 13:05:10 3,783,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 11:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 11:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:05:06 38,912 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:05:06 39,936 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05:08 66,560 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05:08 56,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05:06 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05:08 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05:06 66,048 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05:08 64,512 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05:08 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05:08 46,080 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05:08 62,976 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
.
-- 快照技術重新設置 --
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 53248]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-27 602182]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2003-07-14 63040]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2003-07-14 95296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-04 667718]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-09 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-14 1261336]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-16 509784]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 c:\windows\agrsmmsg.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9b.exe" [2006-12-06 190072]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-01-20 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-15 05:54 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a--c--- 2004-08-22 04:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-12-18 00:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-09 13:18 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WmdmPmSN"=3 (0x3)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"Irmon"=2 (0x2)
"iPodService"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"ThpSrv"=thpsrv /logon
"TMERzCtl.EXE"=c:\program files\TOSHIBA\TME3\TMERzCtl.EXE /Service
"TMESRV.EXE"=c:\program files\TOSHIBA\TME3\TMESRV31.EXE /Logon
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\grace li\\桌面\\utorrent.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe"=
"c:\\WINDOWS\\system32\\conime.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-16 64160]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-09-26 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-14 97928]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2006-01-20 5888]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-14 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-14 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-14 76040]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [2006-01-20 126976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-01-20 35968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f9c4ed-54eb-11db-abff-0013027323f7}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
計劃任務 文件夾 裡的內容

2009-02-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-16 17:56]

2009-02-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-07-18 10:08]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = webproxy.queensu.ca:8080
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\7c71z84g.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 14:59:31
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Manual\YOUR-3C0D22373E_grace li\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0B55E802-1DFC-01C6-0000-00008D0E7F8D}]
"CheckState"=dword:00000001
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
完成時間: 2009-02-17 15:03:22 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-02-17 20:03:19
ComboFix2.txt 2009-02-16 22:20:05

Pre-Run: 10,783,993,856 位元組可用
Post-Run: 10,869,751,808 位元組可用

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
528 --- E O F --- 2009-02-16 23:07:17


New HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:32, on 17/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 6175 bytes

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 18 February 2009 - 01:26 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 February 2009 - 07:43 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users