Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Malware


  • Please log in to reply
13 replies to this topic

#1 armaggedonlights

armaggedonlights

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 29 April 2009 - 10:34 PM

I am posting this in the favor for a friend, she owns a Windows XP service pack 3, which suddenly appears to be infected with some sort of malware. The malware sometimes redirects links that she clicks on to another, clearly suspicious, site. She originally noticed this problem whilst doing a websearch with yahoo, where clicking on a link to a legitimate website led instead to another, seemingly innocuous but clearly incorrect website. The problem seemed to get worse, and now frequently occurs.

I'm not sure if this would be too much help, but here is a hijackthis log for your consideration, thanks for your help:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:20:44, on 2009/4/29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Thunderbird] "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 7301 bytes

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:51 AM

Posted 11 May 2009 - 10:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 armaggedonlights

armaggedonlights
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 12 May 2009 - 06:25 PM

I tried running the DDS and the following occurred: A black window appeared for a very very brief moment (less than a second) and then disappeared, and afterwards no other activity occurred. I tried again and the very same happened.


The state of the computer appears to not have changed and still frequently redirects clicked on links to other sites.

Another peculiar phenomenon that sprung up is the fact that youtube videos no longer would load, and instead would always say "unknown error occurred" I don't know if this is related nor if its even significant, but it is something that has never happened prior to this.

#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 15 May 2009 - 10:50 AM

Hello armaggedonlights and thank you for your patience,

1. Download rsit.exe and save it to your desktop.


2.Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


======================================

Next, double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
===================

Please include these 3 reports in your next reply:

ark.txt <--attach this one please
log.txt
info.txt

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 armaggedonlights

armaggedonlights
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 23 May 2009 - 12:44 PM

Hi.

Thanks for your help, here are the logs, and ark.txt is attached:

info.txt:

info.txt logfile of random's system information tool 1.06 2009-05-23 10:39:05

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2WIRE Wireless LAN - USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-1211-088635773309}\Setup.exe" -l0x9
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 3.0-->MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
Adobe Reader 7.0.9 - Chinese Traditional-->MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A70900000002}
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Brother HL-2040-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{07072EC3-EEC3-4317-B361-B8EFA4551732}\SETUP.exe" -l0x9 -removeonly /uninst
Brother MFL-Pro Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40A6C96D-808E-41DD-8716-617AB6B0F1F1}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CA Anti-Virus-->"C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
CA Yahoo! Anti-Spy (remove only)-->"C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe"
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Ezonics Greeting Cam Deluxe-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ezonics\Ezonics Greeting Cam Deluxe\Uninst.isu"
EZPhoto Browser-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A393E43-9F1B-4B4D-AFC3-E4B6663F6DD3}\Setup.exe" -l0x404
EZSuite For EZCam III-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{313aa16e-8c61-410c-a225-917462421659}\Setup.exe" -l0x404
GameSpy Arcade-->C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_BDA1448D3D255554.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Graphmatica-->C:\Program Files\Graphmatica\uninstall.exe
Highlight Viewer (Windows Live Toolbar)-->MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ijji Auto Installer-->"C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Map Button (Windows Live Toolbar)-->MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Microsoft Halo Trial-->"C:\Program Files\Microsoft Games\Halo Trial\UNINSTAL.EXE" /runtemp /addremove
Microsoft Halo-->"C:\Program Files\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Monopoly Tycoon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B975F4A1-63B6-11D4-BFEC-005004AF2D32}\Setup.exe"
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroMIX-->C:\WINDOWS\UNNMIX.exe /UNINSTALL
NeroVision Express 2-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
PaperPort-->MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Power Sound Editor Free-->C:\PROGRA~1\POWERS~1\UNWISE.EXE C:\PROGRA~1\POWERS~1\INSTALL.LOG
QuickTime-->MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
RollerCoaster Tycoon 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
Skype? 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Smart Menus (Windows Live Toolbar)-->MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Outlook 2007 Junk Email Filter (kb968503)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5DD98950-4D10-4B79-8BF6-59726705207D}
USB PC Camera-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9698A67-7E71-11D8-B9BF-00E018FAA1E4}\setup.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Internet Explorer 7 Hotfix (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar-->MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Toolbar Extension (Windows Live Toolbar)-->MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media Player 安全性更新 (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Windows XP Hotfix (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Windows XP 安全性更新 (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Windows XP 更新 (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Windows XP 更新 (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows XP 更新 (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows XP 更新 (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
自然輸入法 6.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A994466-662E-47B7-9021-6517DB027273}\Setup.exe"
自然輸入法-語音套件-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4439DC22-9387-4A72-91E2-D8D9BCAFC8C5}\Setup.exe"

======Security center information======

AV: CA Anti-Virus

======System event log======

Computer Name: LOVE
Event Code: 7036
Message: IMAPI CD-Burning COM Service 服務已進入 停止 狀態。

Record Number: 14879
Source Name: Service Control Manager
Time Written: 20090220155222.000000-480
Event Type: 資訊
User:

Computer Name: LOVE
Event Code: 7036
Message: IMAPI CD-Burning COM Service 服務已進入 執行中 狀態。

Record Number: 14878
Source Name: Service Control Manager
Time Written: 20090220155215.000000-480
Event Type: 資訊
User:

Computer Name: LOVE
Event Code: 7035
Message: IMAPI CD-Burning COM Service 服務已成\地傳送一個 開始 控制。

Record Number: 14877
Source Name: Service Control Manager
Time Written: 20090220155214.000000-480
Event Type: 資訊
User: NT AUTHORITY\SYSTEM

Computer Name: LOVE
Event Code: 7036
Message: Remote Access Connection Manager 服務已進入 執行中 狀態。

Record Number: 14876
Source Name: Service Control Manager
Time Written: 20090220155207.000000-480
Event Type: 資訊
User:

Computer Name: LOVE
Event Code: 7035
Message: Remote Access Connection Manager 服務已成\地傳送一個 開始 控制。

Record Number: 14875
Source Name: Service Control Manager
Time Written: 20090220155205.000000-480
Event Type: 資訊
User: LOVE\God's Beloved

=====Application event log=====

Computer Name: LOVE
Event Code: 3
Message:
Record Number: 1608
Source Name: NProtectService
Time Written: 20080801080608.000000-420
Event Type: 資訊
User: NT AUTHORITY\SYSTEM

Computer Name: LOVE
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 1607
Source Name: Adobe Active File Monitor
Time Written: 20080801080608.000000-420
Event Type:
User:

Computer Name: LOVE
Event Code: 1800
Message: Windows 資訊安全中心服務已啟動。

Record Number: 1606
Source Name: SecurityCenter
Time Written: 20080801050913.000000-420
Event Type: 資訊
User:

Computer Name: LOVE
Event Code: 3
Message:
Record Number: 1605
Source Name: NProtectService
Time Written: 20080801050912.000000-420
Event Type: 資訊
User: NT AUTHORITY\SYSTEM

Computer Name: LOVE
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 1604
Source Name: Adobe Active File Monitor
Time Written: 20080801050912.000000-420
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------










log.txt:


Logfile of random's system information tool 1.06 (written by random/random)
Run by God's Beloved at 2009-05-23 10:38:48
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (47%) free of 50 GB
Total RAM: 479 MB (25% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:01 AM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\GOD'SB~1\LOCALS~1\Temp\暫時目錄 2 用於 gmer.zip\gmer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\God's Beloved\桌面\Computer\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\God's Beloved.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Thunderbird] "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ¥D±±¥x - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 9024 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-11-20 878352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2007-12-19 370296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-02 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-18 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-02 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-11-20 878352]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-02 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]
"PHIME2002ASync"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"PHIME2002A"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-08-19 65024]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2003-07-10 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2003-07-10 114688]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2004-04-14 57393]
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2004-04-14 40960]
"SetDefPrt"=C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe [2004-05-25 49152]
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe [2004-07-20 851968]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-12-19 185896]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-02-01 385024]
"Thunderbird"=C:\Program Files\Mozilla Thunderbird\thunderbird.exe []
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"cctray"=C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe [2009-01-23 177392]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2008-12-29 230928]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-12-21 68856]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"jvsoft"=C:\WINDOWS\system32\j3ewro.exe []

C:\Documents and Settings\All Users\「開始」\能表\程式集\啟動
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-07-10 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\ijji\ENGLISH\u_sf\soldierfront.exe"="C:\ijji\ENGLISH\u_sf\soldierfront.exe:*:Disabled:soldierfront"
"C:\Program Files\Microsoft Games\Halo Trial\halo.exe"="C:\Program Files\Microsoft Games\Halo Trial\halo.exe:*:Disabled:Halo"
"C:\Program Files\Microsoft Games\Halo\halo.exe"="C:\Program Files\Microsoft Games\Halo\halo.exe:*:Disabled:Halo"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a34474f-bcb8-11dc-86eb-00e04cbac165}]
shell\AutoRun\command - ntdelect.com
shell\explore\command - ntdeIect.com
shell\open\command - ntdeIect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4270b2fe-ad29-11dc-86d2-00e04cbac165}]
shell\AutoRun\command - ntdelect.com
shell\explore\command - ntdeIect.com
shell\open\command - ntdeIect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5802150e-5210-11dd-87ba-00e04cbac165}]
shell\AutoRun\command - G:\tj8odymw.exe
shell\explore\command - G:\tj8odymw.exe
shell\open\command - G:\tj8odymw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6d9e4a4-6220-11dd-87d2-001e379448bf}]
shell\AutoRun\command - x.cmd
shell\explore\command - x.cmd
shell\open\command - x.cmd


======List of files/folders created in the last 1 months======

2009-05-23 10:38:48 ----D---- C:\rsit
2009-05-12 16:57:59 ----A---- C:\WINDOWS\system32\msonpmon.dll
2009-05-12 16:55:41 ----D---- C:\Program Files\Microsoft Works
2009-05-12 16:55:29 ----D---- C:\Program Files\MSBuild
2009-05-12 16:54:55 ----D---- C:\Program Files\Microsoft Visual Studio
2009-05-12 16:54:55 ----D---- C:\Program Files\Common Files\DESIGNER
2009-05-12 16:45:56 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-05-12 16:44:42 ----RHD---- C:\MSOCache
2009-04-29 20:20:09 ----D---- C:\Program Files\Trend Micro
2009-04-29 20:14:30 ----A---- C:\WINDOWS\RtlRack.ini

======List of files/folders modified in the last 1 months======

2009-05-23 10:38:20 ----D---- C:\WINDOWS\Prefetch
2009-05-23 10:29:46 ----D---- C:\WINDOWS\system32
2009-05-23 10:29:46 ----D---- C:\WINDOWS
2009-05-22 11:48:48 ----D---- C:\Program Files\Mozilla Firefox
2009-05-22 11:41:42 ----D---- C:\WINDOWS\CAVTemp
2009-05-22 11:38:32 ----D---- C:\WINDOWS\Temp
2009-05-20 22:32:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-19 22:19:08 ----D---- C:\Documents and Settings\God's Beloved\Application Data\Skype
2009-05-17 20:14:51 ----SD---- C:\Documents and Settings\God's Beloved\Application Data\Microsoft
2009-05-12 23:37:53 ----SHD---- C:\WINDOWS\Installer
2009-05-12 17:04:07 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-12 17:03:52 ----HD---- C:\WINDOWS\inf
2009-05-12 17:03:12 ----D---- C:\WINDOWS\ShellNew
2009-05-12 17:02:54 ----A---- C:\WINDOWS\win.ini
2009-05-12 17:02:47 ----D---- C:\Program Files\Common Files\System
2009-05-12 16:57:36 ----D---- C:\WINDOWS\system32\config
2009-05-12 16:55:41 ----RD---- C:\Program Files
2009-05-12 16:55:32 ----D---- C:\WINDOWS\WinSxS
2009-05-12 16:55:12 ----D---- C:\Program Files\Microsoft Office
2009-05-12 16:54:55 ----D---- C:\Program Files\Common Files
2009-05-12 16:54:12 ----RSD---- C:\WINDOWS\Fonts
2009-05-12 16:53:37 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-05-12 16:51:23 ----D---- C:\WINDOWS\Media
2009-05-12 16:35:41 ----D---- C:\WINDOWS\system32\CatRoot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 FsVga;FsVga; C:\WINDOWS\System32\DRIVERS\fsvga.sys [2001-09-05 12160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 39168]
R1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2008-12-28 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2008-12-29 21648]
R1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2008-12-29 26640]
R1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2008-12-29 32528]
R1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2008-12-29 21392]
R2 BrPar;BrPar; C:\WINDOWS\System32\drivers\BrPar.sys [2000-07-24 19537]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-04 120094]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-04 96858]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-08-19 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-08-19 541548]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-08-04 91419]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2004-08-04 605308]
R3 mouhid;滑鼠 HID 驅動程式; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-09-05 12160]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2008-12-28 108368]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS); C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]
S3 aujasnkj;aujasnkj; \??\C:\DOCUME~1\GOD'SB~1\LOCALS~1\Temp\aujasnkj.sys []
S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 15263]
S3 CA561;EZCam III; C:\WINDOWS\System32\Drivers\SPCA561.SYS [2002-10-01 119798]
S3 CCDECODE;字幕解碼器; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 Dot4;IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB 一般上層驅動程式; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB 掃描器驅動程式; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;世界標準電傳轉碼器; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor;Adobe Active File Monitor; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 brmfrmps;Brother Popup Suspend service for Resource manager; C:\WINDOWS\system32\Brmfrmps.exe [2003-05-05 65536]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-12 57344]
R2 CAISafe;CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe [2008-12-29 144960]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R2 VETMSGNT;VET Message Service; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe [2008-12-29 243216]
R3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2009-01-23 214256]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-02 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

Attached Files

  • Attached File  ark.txt   728bytes   1 downloads


#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 23 May 2009 - 02:29 PM

Hello armaggedonlights,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.


Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

1. Download Flash_Disinfector.exe and save it to your desktop.


2. Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop** Do NOT run it yet.

=====================================

Disable your AntiVirus and AntiSpyware applications as they may otherwise interfere with our tools

=====================================


Locate the removable drive that is typically your G: drive as it carries infection.


Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
=====================================


Once again, disable your AntiVirus and AntiSpyware applications as they may otherwise interfere with our tools


=====================================

Double click on combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 armaggedonlights

armaggedonlights
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 25 May 2009 - 12:26 AM

Hi Ried,

We have ran the flash disinfecter on all usb accessories, and then ran the combofix.

Here is the log:


ComboFix 09-05-24.06 - God's Beloved 4/2009 Sun 22:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.479.196 [GMT -7:00]
執行位置: c:\documents and settings\God's Beloved\桌面\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ian\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

.
((((((((((((((((((((((((( 2009-04-25 至 2009-05-25 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-05-23 17:38 . 2009-05-23 17:39 -------- d-----w C:\rsit
2009-05-21 04:29 . 2009-05-21 04:29 390664 ----a-w c:\documents and settings\God's Beloved\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-12 23:57 . 2006-10-27 02:56 32592 ----a-w c:\windows\system32\msonpmon.dll
2009-05-12 23:55 . 2009-05-12 23:55 -------- d-----w c:\program files\Microsoft Works
2009-05-12 23:55 . 2009-05-12 23:55 -------- d-----w c:\program files\MSBuild
2009-05-12 23:46 . 2009-05-12 23:46 -------- d-----w c:\documents and settings\God's Beloved\Local Settings\Application Data\Microsoft Help
2009-05-12 23:45 . 2009-05-13 06:37 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-12 23:44 . 2009-05-12 23:44 -------- d--h--r C:\MSOCache
2009-04-30 03:20 . 2009-04-30 03:20 -------- d-----w c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 05:19 . 2009-03-12 03:47 -------- d-----w c:\documents and settings\God's Beloved\Application Data\Skype
2009-05-18 02:53 . 2007-12-17 06:24 78688 ----a-w c:\documents and settings\God's Beloved\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 23:37 . 2007-12-18 15:53 1606 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-04-14 23:37 . 2001-09-05 12:00 42174 ----a-w c:\windows\system32\prfc0404.dat
2009-04-14 23:37 . 2001-09-05 12:00 130736 ----a-w c:\windows\system32\prfh0404.dat
2009-04-13 16:47 . 2007-12-18 05:16 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-13 16:47 . 2008-01-06 18:21 -------- d-----w c:\documents and settings\God's Beloved\Application Data\ZoomBrowser EX
2009-03-31 04:59 . 2009-03-24 00:23 28800 ----a-w c:\windows\snap.dat
2009-03-30 21:31 . 2008-02-22 22:32 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-06 14:19 . 2001-09-05 12:00 292352 ------w c:\windows\system32\pdh.dll
2009-03-03 00:03 . 2001-09-05 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2008-02-13 23:46 . 2008-02-13 23:43 23344432 ----a-w c:\program files\QuickTimeInstaller.exe
2007-12-21 05:58 . 2007-12-21 05:58 1491592 ----a-w c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*`意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-22 68856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-20 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-23 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-12-30 230928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-08-19 65024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\「開始」\能表\程式集\啟動\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2009-3-22 65536]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2007-12-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
.
‘計劃任務’ 文件夾 裡的內容

2009-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-05-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-12-18 20:23]

2009-05-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 05:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Thunderbird - c:\program files\Mozilla Thunderbird\thunderbird.exe
SafeBoot-procexp90.Sys


.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\God's Beloved\Application Data\Mozilla\Firefox\Profiles\dapgrwku.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 22:15
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。


c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\ 4718592 bytes
c:\documents and settings\God's Beloved\ 1024 bytes
c:\documents and settings\God's Beloved\ 178 bytes
c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\ 23344432 bytes executable
c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\ 1551014 bytes executable
c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\c:\documents and settings\God's Beloved\
c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\c:\documents and settings\All Users\

掃描完成
被隱藏的檔案: 28

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1547161642-573735546-725345543-1003\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxxPNWKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
完成時間: 2009-05-25 22:16
ComboFix-quarantined-files.txt 2009-05-25 05:16

Pre-Run: 25,434,607,616 位元組可用
Post-Run: 28,262,813,696 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

176 --- E O F --- 2009-05-13 06:37

#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 26 May 2009 - 07:43 AM

How is the system behaving now? Is she still being redirected and if so, what browser(s) does this occur in?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 armaggedonlights

armaggedonlights
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 28 May 2009 - 08:05 PM

After using the comp for a bit more, she realized that the redirecting problem seems to have subsided. Since following these instructions, she has not been redirected even once. However, one thing she did notice was that the computer tends to freeze in its tracks for a second or two every few minutes. After it stops hanging, all instructions given during the time suddenly get executed almost simultaneous. Afterwards, the computer operates normally for a few minutes until the same process occurs. This happens regardless of what program she is running. She says this has never occurred before, and could be a new symptom.

#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 29 May 2009 - 08:36 AM

Please have her run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image

  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 armaggedonlights

armaggedonlights
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 02 June 2009 - 01:00 AM

Hi,

Thanks again for your continued aid in alleviating this computer's woes. It seems to be running smoother now but is still prone to sporadic hangs.

Here is the scan from the online scanner, the results is as follows:








-----Inline Attachment Follows-----

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 01, 2009 23:09:52
Records in database: 2293167
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 54511
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:38:57


File name / Threat name / Threats count
C:\Documents and Settings\God's Beloved\Application Data\Thunderbird\Profiles\2zejaeb5.default\Mail\localhost\Inbox Infected: Trojan-PSW.Win32.Magania.qdk 3
C:\Documents and Settings\God's Beloved\Application Data\Thunderbird\Profiles\2zejaeb5.default\Mail\localhost\Inbox Infected: Trojan-PSW.Win32.Magania.qqy 1
C:\Documents and Settings\God's Beloved\Application Data\Thunderbird\Profiles\2zejaeb5.default\Mail\localhost\Inbox Infected: Trojan-PSW.Win32.OnLineGames.rztb 1
C:\Documents and Settings\God's Beloved\Application Data\Thunderbird\Profiles\2zejaeb5.default\Mail\localhost\Trash Infected: Trojan-PSW.Win32.Magania.qdk 1

The selected area was scanned.

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 02 June 2009 - 09:14 PM

Kaspersky is reporting infected emails. Unfortunately, it does not provide the specific email in question. My suggestion is to have her empty the Inbox and the Trash.

Other than that, the logs are clean. If the system still has sporadic hangs, my suggestion is to discuss this issue with the folks in the Windows XP Home and Professional section of this forum.

=================================

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect her computer in the future I recommend that you get the following free programs if she does not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of her recent issue, she should have a look at this well written, informative article:


Think Prevention



**Kindly respond one more time and let me know if we may consider this thread resolved.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#13 armaggedonlights

armaggedonlights
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 08 June 2009 - 11:15 PM

Ok she followed the instructions, and says that her computer seems fine now. Thanks for all the help, and the problems in this topic are now resolved.


Once again, thanks :]

#14 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 09 June 2009 - 04:02 PM

Glad to hear that, armaggedonlights. :)

You're quite welcome. :thumbup2:

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users