Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware: sopidkc.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 jason86

jason86

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 06 July 2009 - 08:18 PM

Hi,

I have this stupid malware which spybot can detects. It prompts me to delete the item but after deleting, it comes back again. I cant seem to fix this using hijack this as well. Can anybody help me?

Here is my hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:21 AM, on 7/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ipswitch\IM Client\IMClient.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [_IMClient_] "C:\Program Files\Ipswitch\IM Client\IMClient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://wcsql1.ritetrack.com/Reports/Reserv...OpType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtasia.rt
O17 - HKLM\Software\..\Telephony: DomainName = rtasia.rt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtasia.rt
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = rtasia.rt
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9f535900e9459) (gupdate1c9f535900e9459) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: sopidkc Service (sopidkc) - NewYork DVD LT - C:\WINDOWS\system32\sopidkc.exe

--
End of file - 8341 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 09 July 2009 - 01:38 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

------------------------------------------------------------------------------------------------------------------

NOTE: IMPORTANT! To other lurkers who see this topic, if you ever want to use ComboFix, please have a look at below tutorial.. You have been warned!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 jason86

jason86
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 09 July 2009 - 04:18 AM

Thank u for your advise. I am unable to disable my NOD32 virus scan due to the IT department locking that function. Nonetheless, i went ahead with the instructions without disabling it. I hope it would still work. Here are the logs.


ComboFix 09-07-08.06 - fankai 9/2009 Thu 17:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1406.842 [GMT 8:00]
执行位置: c:\documents and settings\nleong.RTASIA\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* 防毒软件还在运行中

.
/wow section - STAGE 完成项目3
& was unexpected at this time.

/wow section 未完成

((((((((((((((((((((((((( 2009-06-09 至 2009-07-09 的新的档案 )))))))))))))))))))))))))))))))
.

2009-07-03 01:43 . 2009-07-03 01:43 -------- d-----w- c:\program files\Trend Micro
2009-07-01 02:43 . 2009-07-01 05:23 -------- d-----w- c:\documents and settings\nleong.RTASIA\.housecall6.6
2009-06-30 03:12 . 2009-06-30 03:12 7 ----a-w- c:\windows\system32\comsa32.sys
2009-06-29 03:23 . 2009-06-29 03:23 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Help
2009-06-29 03:22 . 2009-06-29 03:22 -------- d-----w- c:\program files\4Pockets
2009-06-29 03:14 . 2009-06-29 03:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-25 08:21 . 2009-06-25 08:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-25 01:38 . 2009-06-25 01:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-25 01:37 . 2009-06-25 01:49 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Google
2009-06-25 01:35 . 2009-06-25 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-18 10:40 . 2009-06-18 10:40 -------- d-----w- c:\program files\MSXML 4.0
2009-06-17 10:05 . 2009-06-17 10:05 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Nero
2009-06-17 09:56 . 2009-06-17 09:56 -------- d-----w- c:\program files\Nero
2009-06-12 07:21 . 2009-06-12 07:21 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Canneverbe_Limited
2009-06-12 07:21 . 2009-06-12 07:21 -------- d-----w- c:\program files\CDBurnerXP
2009-06-12 07:19 . 2008-08-08 11:08 1238456 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-12 07:19 . 2005-06-01 04:11 877568 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-12 07:19 . 2007-01-04 14:47 376832 ----a-w- c:\windows\system32\cmd22.dll
2009-06-12 07:19 . 2003-10-29 14:43 253952 ----a-w- c:\windows\system32\SkinBoxer43.dll
2009-06-12 07:19 . 2002-04-07 14:14 724992 ----a-w- c:\windows\system32\ebCrypt.dll
2009-06-12 07:01 . 2009-06-12 07:03 -------- d-----w- c:\program files\Monkey's Audio
2009-06-12 07:01 . 2009-03-17 02:38 364544 ----a-w- c:\windows\system32\MACDll.dll
2009-06-12 06:56 . 2009-06-12 06:56 -------- d-----w- c:\program files\Medieval Software
2009-06-12 03:48 . 2009-06-12 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Grid
2009-06-12 03:48 . 2009-06-12 03:48 -------- d-----w- c:\program files\GridService
2009-06-12 03:47 . 2009-06-12 05:07 -------- d-----w- c:\program files\RaySource
2009-06-11 06:31 . 2009-06-23 05:32 -------- d-----w- c:\program files\Burrrn
2009-06-10 06:33 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:33 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 09:11 . 2008-02-19 01:48 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Skype
2009-07-09 09:03 . 2008-02-19 01:49 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\skypePM
2009-07-09 05:49 . 2008-02-28 10:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 05:49 . 2008-02-28 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 09:53 . 2008-04-08 03:43 -------- d-----w- c:\program files\BitComet
2009-06-29 03:05 . 2006-06-26 03:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-25 01:39 . 2006-05-30 23:43 -------- d-----w- c:\program files\Google
2009-06-23 03:43 . 2009-01-15 06:37 31048 ----a-w- c:\documents and settings\nleong.RTASIA\Application Data\Tencent\QQ\SafeBase\selfupdate.exe
2009-06-17 10:05 . 2006-09-22 01:56 60672 ----a-w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 09:58 . 2008-07-01 06:19 -------- d-----w- c:\program files\Common Files\Nero
2009-06-17 09:56 . 2008-07-01 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-06-17 08:34 . 2009-02-04 03:54 -------- d-----w- c:\program files\Cheat Engine
2009-06-12 07:15 . 2008-06-24 01:56 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\foobar2000
2009-06-05 05:10 . 2009-06-05 02:25 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\uTorrent
2009-06-05 02:25 . 2009-06-05 02:25 -------- d-----w- c:\program files\uTorrent
2009-05-22 03:56 . 2009-05-22 03:47 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\U3
2009-05-15 04:14 . 2009-05-15 04:11 -------- d-----w- c:\program files\Winamp
2009-05-15 04:14 . 2009-05-15 04:11 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Winamp
2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-03 10:27 . 2008-03-03 10:27 28672 ----a-w- c:\program files\mozilla firefox\components\FlashgetXpi.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"_IMClient_"="c:\program files\Ipswitch\IM Client\IMClient.exe" [2004-08-10 897024]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 344064]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-03-02 949376]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-232297113-3485509154-4227086566-1156\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Fuji Xerox\\Network Scan\\FxsUtl12.exe"=
"c:\\WINDOWS\\system32\\fxsslm12.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\nleong.RTASIA\\Desktop\\My Mobile\\MyMobiler\\MyMobiler.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/2/2007 8:19 AM 15424]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [8/4/2004 4:00 PM 98816]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [11/2/2007 7:35 PM 44664]
S2 gupdate1c9f535900e9459;Google Update Service (gupdate1c9f535900e9459);c:\program files\Google\Update\GoogleUpdate.exe [6/25/2009 9:37 AM 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b3db581-4683-11de-90a3-0016173865d4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e90c950a-d08b-11dd-9037-0016173865d4}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
计划任务 文件夹 里的内容

2009-05-12 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]

2009-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-25 01:35]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-25 01:37]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-25 01:37]
.
.
------- 而外的扫描 -------
.
uStart Page = https://intrack.ritetrack.com/home.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\nleong.RTASIA\Application Data\Mozilla\Firefox\Profiles\kixqz72a.default\
FF - prefs.js: browser.startup.homepage - hxxp://intrack.ritetrack.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\FlashgetXpi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.
------- 文件类型 -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 17:12
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(952)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Ipswitch\IM Client\ImIdle.dll
.
完成时间: 2009-07-09 17:15
ComboFix-quarantined-files.txt 2009-07-09 09:15

Pre-Run: 35,854,114,816 bytes free
Post-Run: 36,067,008,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

249 --- E O F --- 2009-06-18 10:40


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:13 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\GridService\peer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipswitch\IM Client\IMClient.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [_IMClient_] "C:\Program Files\Ipswitch\IM Client\IMClient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://wcsql1.ritetrack.com/Reports/Reserv...OpType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtasia.rt
O17 - HKLM\Software\..\Telephony: DomainName = rtasia.rt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtasia.rt
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9f535900e9459) (gupdate1c9f535900e9459) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: sopidkc Service (sopidkc) - NewYork DVD LT - C:\WINDOWS\system32\sopidkc.exe

--
End of file - 7243 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 09 July 2009 - 05:05 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
msncache

Driver::
sopidkc
msncache

File::
c:\windows\system32\sopidkc.exe
c:\windows\system32\comsa32.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e90c950a-d08b-11dd-9037-0016173865d4}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 jason86

jason86
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 09 July 2009 - 08:13 PM

Here are my logs.

Combofix

ComboFix 09-07-09.06 - fankai 0/2009 Fri 9:02.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1406.908 [GMT 8:00]
执行位置: c:\documents and settings\nleong.RTASIA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nleong.RTASIA\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* 防毒软件还在运行中


FILE ::
"c:\windows\system32\comsa32.sys"
"c:\windows\system32\sopidkc.exe"
.
/wow section - STAGE 完成项目3
& was unexpected at this time.

/wow section 未完成

((((((((((((((((((((((((( 2009-06-10 至 2009-07-10 的新的档案 )))))))))))))))))))))))))))))))
.

2009-07-03 01:43 . 2009-07-03 01:43 -------- d-----w- c:\program files\Trend Micro
2009-07-01 02:43 . 2009-07-01 05:23 -------- d-----w- c:\documents and settings\nleong.RTASIA\.housecall6.6
2009-06-30 03:12 . 2009-06-30 03:12 7 ----a-w- c:\windows\system32\comsa32.sys
2009-06-29 03:23 . 2009-06-29 03:23 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Help
2009-06-29 03:22 . 2009-06-29 03:22 -------- d-----w- c:\program files\4Pockets
2009-06-29 03:14 . 2009-06-29 03:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-25 08:21 . 2009-06-25 08:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-25 01:38 . 2009-06-25 01:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-25 01:37 . 2009-06-25 01:49 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Google
2009-06-25 01:35 . 2009-06-25 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-18 10:40 . 2009-06-18 10:40 -------- d-----w- c:\program files\MSXML 4.0
2009-06-17 10:05 . 2009-06-17 10:05 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Nero
2009-06-17 09:56 . 2009-06-17 09:56 -------- d-----w- c:\program files\Nero
2009-06-12 07:21 . 2009-06-12 07:21 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Canneverbe_Limited
2009-06-12 07:21 . 2009-06-12 07:21 -------- d-----w- c:\program files\CDBurnerXP
2009-06-12 07:19 . 2008-08-08 11:08 1238456 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-12 07:19 . 2005-06-01 04:11 877568 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-12 07:19 . 2007-01-04 14:47 376832 ----a-w- c:\windows\system32\cmd22.dll
2009-06-12 07:19 . 2003-10-29 14:43 253952 ----a-w- c:\windows\system32\SkinBoxer43.dll
2009-06-12 07:19 . 2002-04-07 14:14 724992 ----a-w- c:\windows\system32\ebCrypt.dll
2009-06-12 07:01 . 2009-06-12 07:03 -------- d-----w- c:\program files\Monkey's Audio
2009-06-12 07:01 . 2009-03-17 02:38 364544 ----a-w- c:\windows\system32\MACDll.dll
2009-06-12 06:56 . 2009-06-12 06:56 -------- d-----w- c:\program files\Medieval Software
2009-06-12 03:48 . 2009-06-12 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Grid
2009-06-12 03:48 . 2009-06-12 03:48 -------- d-----w- c:\program files\GridService
2009-06-12 03:47 . 2009-06-12 05:07 -------- d-----w- c:\program files\RaySource
2009-06-11 06:31 . 2009-06-23 05:32 -------- d-----w- c:\program files\Burrrn
2009-06-10 06:33 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 06:33 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 00:57 . 2008-02-19 01:48 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Skype
2009-07-09 09:03 . 2008-02-19 01:49 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\skypePM
2009-07-09 05:49 . 2008-02-28 10:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 05:49 . 2008-02-28 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 09:53 . 2008-04-08 03:43 -------- d-----w- c:\program files\BitComet
2009-06-29 03:05 . 2006-06-26 03:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-25 01:39 . 2006-05-30 23:43 -------- d-----w- c:\program files\Google
2009-06-23 03:43 . 2009-01-15 06:37 31048 ----a-w- c:\documents and settings\nleong.RTASIA\Application Data\Tencent\QQ\SafeBase\selfupdate.exe
2009-06-17 10:05 . 2006-09-22 01:56 60672 ----a-w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 09:58 . 2008-07-01 06:19 -------- d-----w- c:\program files\Common Files\Nero
2009-06-17 09:56 . 2008-07-01 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-06-17 08:34 . 2009-02-04 03:54 -------- d-----w- c:\program files\Cheat Engine
2009-06-12 07:15 . 2008-06-24 01:56 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\foobar2000
2009-06-05 05:10 . 2009-06-05 02:25 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\uTorrent
2009-06-05 02:25 . 2009-06-05 02:25 -------- d-----w- c:\program files\uTorrent
2009-05-22 03:56 . 2009-05-22 03:47 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\U3
2009-05-15 04:14 . 2009-05-15 04:11 -------- d-----w- c:\program files\Winamp
2009-05-15 04:14 . 2009-05-15 04:11 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Winamp
2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-03 10:27 . 2008-03-03 10:27 28672 ----a-w- c:\program files\mozilla firefox\components\FlashgetXpi.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_09.12.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 08:00 . 2004-08-04 08:00 98304 c:\windows\system32\sopidkc.exe
+ 2009-07-10 01:06 . 2009-04-30 21:22 1207808 c:\windows\Temp\x1c55499.dll
+ 2009-07-10 00:58 . 2009-04-30 21:22 1207808 c:\windows\Temp\x1c24862.dll
+ 2009-07-09 09:15 . 2009-04-30 21:22 1207808 c:\windows\Temp\x1c16629.dll
+ 2009-07-09 09:17 . 2009-04-30 21:22 1207808 c:\windows\Temp\x1c100176.dll
+ 2009-07-09 09:17 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta70983.dll
+ 2009-07-09 09:35 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta60353.dll
+ 2009-07-10 01:05 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta47661.dll
+ 2009-07-10 00:56 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta29023.dll
+ 2009-07-09 09:15 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta15877.dll
- 2009-06-30 00:53 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta13187.dll
+ 2009-07-09 09:15 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta13187.dll
+ 2009-07-10 00:58 . 2009-04-30 21:22 1207808 c:\windows\Temp\mta118760.dll
+ 2009-07-10 01:05 . 2009-04-30 21:22 1207808 c:\windows\Temp\mpj88429.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"_IMClient_"="c:\program files\Ipswitch\IM Client\IMClient.exe" [2004-08-10 897024]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 344064]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-03-02 949376]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-232297113-3485509154-4227086566-1156\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Fuji Xerox\\Network Scan\\FxsUtl12.exe"=
"c:\\WINDOWS\\system32\\fxsslm12.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\nleong.RTASIA\\Desktop\\My Mobile\\MyMobiler\\MyMobiler.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/2/2007 8:19 AM 15424]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [8/4/2004 4:00 PM 98304]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [11/2/2007 7:35 PM 44664]
S2 gupdate1c9f535900e9459;Google Update Service (gupdate1c9f535900e9459);c:\program files\Google\Update\GoogleUpdate.exe [6/25/2009 9:37 AM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MSNCACHE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b3db581-4683-11de-90a3-0016173865d4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
计划任务 文件夹 里的内容

2009-05-12 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-25 01:35]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-25 01:37]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-25 01:37]
.
.
------- 而外的扫描 -------
.
uStart Page = https://intrack.ritetrack.com/home.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\nleong.RTASIA\Application Data\Mozilla\Firefox\Profiles\kixqz72a.default\
FF - prefs.js: browser.startup.homepage - hxxp://intrack.ritetrack.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\FlashgetXpi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 09:05
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(952)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\Ipswitch\IM Client\ImIdle.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\eset\nod32krn.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\conime.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
完成时间: 2009-07-10 9:08 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-07-10 01:08
ComboFix2.txt 2009-07-09 09:15

Pre-Run: 37,116,039,168 bytes free
Post-Run: 37,086,011,392 bytes free

273 --- E O F --- 2009-06-18 10:40


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:05 AM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\GridService\peer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipswitch\IM Client\IMClient.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wiwow64.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [_IMClient_] "C:\Program Files\Ipswitch\IM Client\IMClient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://wcsql1.ritetrack.com/Reports/Reserv...OpType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtasia.rt
O17 - HKLM\Software\..\Telephony: DomainName = rtasia.rt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtasia.rt
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9f535900e9459) (gupdate1c9f535900e9459) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: sopidkc Service (sopidkc) - NewYork DVD LT - C:\WINDOWS\system32\sopidkc.exe

--
End of file - 7322 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 09 July 2009 - 11:08 PM

Hello, one quick question.. Do you disable your ESET antivirus before doing CFScript? If not, please disable your ESET and run CFScript step again.. Then post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 jason86

jason86
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 12:59 AM

Hello, one quick question.. Do you disable your ESET antivirus before doing CFScript? If not, please disable your ESET and run CFScript step again.. Then post the log here :thumbup2:


Hi,

i am unable to disable... therefore i ran cfscript with the antivirus program on.. Is there any work around?

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 01:00 AM

Hello. Sorry I missed your statement

I am unable to disable my NOD32 virus scan due to the IT department locking that function.

Let me do some research and I'll be back with you :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 01:18 AM

Lets do another route..

IMPORTANT!! Please disable these programs (if present) before proceed with our fixes.. . Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

1. SpySweeper
2. Spyware Doctor
3. Windows Defender
4. Trojan Hunter
5. WinPatrol
6. Spybot S&D
7. Lavasoft Ad-Aware
8. Zone Alarm
9. AVG8



Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download the OTM by OldTimer
  • Save it to your Desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    sopidkc
    msncache
    
    :files
    c:\windows\system32\comsa32.sys
    c:\windows\system32\sopidkc.exe
    C:\WINDOWS\system32\wiwow64.exe
    c:\windows\Temp\x1c55499.dll
    c:\windows\Temp\x1c24862.dll
    c:\windows\Temp\x1c16629.dll
    c:\windows\Temp\x1c100176.dll
    c:\windows\Temp\mta70983.dll
    c:\windows\Temp\mta60353.dll
    c:\windows\Temp\mta47661.dll
    c:\windows\Temp\mta29023.dll
    c:\windows\Temp\mta15877.dll
    c:\windows\Temp\mta13187.dll
    c:\windows\Temp\mta13187.dll
    c:\windows\Temp\mta118760.dll
    c:\windows\Temp\mpj88429.dll
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Run RSIT again... Post these logs in your next reply..

1. OTMoveIt3
2. RSIT log.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 jason86

jason86
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 01:53 AM

Here is my OTM log.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========

Service\Driver sopidkc deleted successfully.
Service\Driver msncache stopped successfully.
Service\Driver msncache deleted successfully.
========== FILES ==========
c:\windows\system32\comsa32.sys moved successfully.
c:\windows\system32\sopidkc.exe moved successfully.
C:\WINDOWS\system32\wiwow64.exe moved successfully.
File/Folder c:\windows\Temp\x1c55499.dll not found.
File/Folder c:\windows\Temp\x1c24862.dll not found.
File/Folder c:\windows\Temp\x1c16629.dll not found.
File/Folder c:\windows\Temp\x1c100176.dll not found.
File/Folder c:\windows\Temp\mta70983.dll not found.
File/Folder c:\windows\Temp\mta60353.dll not found.
File/Folder c:\windows\Temp\mta47661.dll not found.
File/Folder c:\windows\Temp\mta29023.dll not found.
File/Folder c:\windows\Temp\mta15877.dll not found.
c:\windows\Temp\mta13187.dll unregistered successfully.
c:\windows\Temp\mta13187.dll moved successfully.
File/Folder c:\windows\Temp\mta13187.dll not found.
File/Folder c:\windows\Temp\mta118760.dll not found.
File/Folder c:\windows\Temp\mpj88429.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: administrator.RTASIA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 482639 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: nleong

User: nleong.RTASIA
->Temp folder emptied: 37156131 bytes
->Temporary Internet Files folder emptied: 112775821 bytes
->Java cache emptied: 5974429 bytes
->FireFox cache emptied: 72504081 bytes
->Opera cache emptied: 316571 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 22830 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 6084535 bytes
RecycleBin emptied: 151981799 bytes

Total Files Cleaned = 369.39 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07102009_144745

Files moved on Reboot...

Registry entries deleted on Reboot...


Where do i get RSIT?

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 01:59 AM

Where do i get RSIT?


OOppsss.. My bad.. Run ComboFix once again (just double-click it) and post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 jason86

jason86
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 02:08 AM

ComboFix 09-07-09.06 - fankai 0/2009 Fri 15:03.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1406.548 [GMT 8:00]
执行位置: c:\documents and settings\nleong.RTASIA\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* 防毒软件还在运行中

.
/wow section - STAGE 完成项目3
& was unexpected at this time.

/wow section 未完成

((((((((((((((((((((((((( 2009-06-10 至 2009-07-10 的新的档案 )))))))))))))))))))))))))))))))
.

2009-07-10 06:47 . 2009-07-10 06:47 -------- d-----w- C:\_OTM
2009-07-10 06:43 . 2009-07-10 06:45 -------- d-----w- c:\program files\ERUNT
2009-07-03 01:43 . 2009-07-03 01:43 -------- d-----w- c:\program files\Trend Micro
2009-07-01 02:43 . 2009-07-01 05:23 -------- d-----w- c:\documents and settings\nleong.RTASIA\.housecall6.6
2009-06-29 03:23 . 2009-06-29 03:23 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Help
2009-06-29 03:22 . 2009-06-29 03:22 -------- d-----w- c:\program files\4Pockets
2009-06-29 03:14 . 2009-06-29 03:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-25 08:21 . 2009-06-25 08:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-25 01:38 . 2009-06-25 01:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-25 01:37 . 2009-06-25 01:49 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Google
2009-06-25 01:35 . 2009-06-25 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-18 10:40 . 2009-06-18 10:40 -------- d-----w- c:\program files\MSXML 4.0
2009-06-17 10:05 . 2009-06-17 10:05 -------- d-----w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\Nero
2009-06-17 09:56 . 2009-06-17 09:56 -------- d-----w- c:\program files\Nero
2009-06-12 07:21 . 2009-06-12 07:21 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Canneverbe_Limited
2009-06-12 07:21 . 2009-06-12 07:21 -------- d-----w- c:\program files\CDBurnerXP
2009-06-12 07:19 . 2008-08-08 11:08 1238456 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-06-12 07:19 . 2005-06-01 04:11 877568 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-12 07:19 . 2007-01-04 14:47 376832 ----a-w- c:\windows\system32\cmd22.dll
2009-06-12 07:19 . 2003-10-29 14:43 253952 ----a-w- c:\windows\system32\SkinBoxer43.dll
2009-06-12 07:19 . 2002-04-07 14:14 724992 ----a-w- c:\windows\system32\ebCrypt.dll
2009-06-12 07:01 . 2009-06-12 07:03 -------- d-----w- c:\program files\Monkey's Audio
2009-06-12 07:01 . 2009-03-17 02:38 364544 ----a-w- c:\windows\system32\MACDll.dll
2009-06-12 06:56 . 2009-06-12 06:56 -------- d-----w- c:\program files\Medieval Software
2009-06-12 03:48 . 2009-06-12 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Grid
2009-06-12 03:48 . 2009-06-12 03:48 -------- d-----w- c:\program files\GridService
2009-06-12 03:47 . 2009-06-12 05:07 -------- d-----w- c:\program files\RaySource
2009-06-11 06:31 . 2009-06-23 05:32 -------- d-----w- c:\program files\Burrrn

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 06:50 . 2008-02-19 01:48 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Skype
2009-07-10 06:50 . 2008-02-19 01:49 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\skypePM
2009-07-10 04:34 . 2008-04-08 03:43 -------- d-----w- c:\program files\BitComet
2009-07-09 05:49 . 2008-02-28 10:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 05:49 . 2008-02-28 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 03:05 . 2006-06-26 03:55 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-25 01:39 . 2006-05-30 23:43 -------- d-----w- c:\program files\Google
2009-06-23 03:43 . 2009-01-15 06:37 31048 ----a-w- c:\documents and settings\nleong.RTASIA\Application Data\Tencent\QQ\SafeBase\selfupdate.exe
2009-06-17 10:05 . 2006-09-22 01:56 60672 ----a-w- c:\documents and settings\nleong.RTASIA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 09:58 . 2008-07-01 06:19 -------- d-----w- c:\program files\Common Files\Nero
2009-06-17 09:56 . 2008-07-01 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-06-17 08:34 . 2009-02-04 03:54 -------- d-----w- c:\program files\Cheat Engine
2009-06-12 07:15 . 2008-06-24 01:56 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\foobar2000
2009-06-05 05:10 . 2009-06-05 02:25 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\uTorrent
2009-06-05 02:25 . 2009-06-05 02:25 -------- d-----w- c:\program files\uTorrent
2009-05-22 03:56 . 2009-05-22 03:47 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\U3
2009-05-15 04:14 . 2009-05-15 04:11 -------- d-----w- c:\program files\Winamp
2009-05-15 04:14 . 2009-05-15 04:11 -------- d-----w- c:\documents and settings\nleong.RTASIA\Application Data\Winamp
2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-03 10:27 . 2008-03-03 10:27 28672 ----a-w- c:\program files\mozilla firefox\components\FlashgetXpi.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_09.12.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 06:49 . 2009-07-10 06:49 126976 c:\windows\ERDNT\AutoBackup\7-10-2009\Users\00000002\UsrClass.dat
+ 2009-07-10 06:49 . 2005-10-20 04:02 163328 c:\windows\ERDNT\AutoBackup\7-10-2009\ERDNT.EXE
+ 2009-07-10 06:45 . 2009-07-10 06:45 126976 c:\windows\ERDNT\7-10-2009\Users\00000002\UsrClass.dat
+ 2009-07-10 06:45 . 2005-10-20 04:02 163328 c:\windows\ERDNT\7-10-2009\ERDNT.EXE
+ 2009-07-10 06:49 . 2009-07-10 06:49 7450624 c:\windows\ERDNT\AutoBackup\7-10-2009\Users\00000001\NTUSER.DAT
+ 2009-07-10 06:45 . 2009-07-10 06:45 7450624 c:\windows\ERDNT\7-10-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"_IMClient_"="c:\program files\Ipswitch\IM Client\IMClient.exe" [2004-08-10 897024]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 344064]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-03-02 949376]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]

c:\documents and settings\nleong.RTASIA\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-232297113-3485509154-4227086566-1156\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Fuji Xerox\\Network Scan\\FxsUtl12.exe"=
"c:\\WINDOWS\\system32\\fxsslm12.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\nleong.RTASIA\\Desktop\\My Mobile\\MyMobiler\\MyMobiler.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/2/2007 8:19 AM 15424]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [11/2/2007 7:35 PM 44664]
S2 gupdate1c9f535900e9459;Google Update Service (gupdate1c9f535900e9459);c:\program files\Google\Update\GoogleUpdate.exe [6/25/2009 9:37 AM 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b3db581-4683-11de-90a3-0016173865d4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
计划任务 文件夹 里的内容

2009-05-12 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-25 01:35]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-25 01:37]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-25 01:37]
.
.
------- 而外的扫描 -------
.
uStart Page = https://intrack.ritetrack.com/home.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\nleong.RTASIA\Application Data\Mozilla\Firefox\Profiles\kixqz72a.default\
FF - prefs.js: browser.startup.homepage - hxxp://intrack.ritetrack.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\FlashgetXpi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.
------- 文件类型 -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 15:03
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(948)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(952)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
完成时间: 2009-07-10 15:06
ComboFix-quarantined-files.txt 2009-07-10 07:06
ComboFix2.txt 2009-07-10 01:08
ComboFix3.txt 2009-07-09 09:15

Pre-Run: 36,080,685,056 bytes free
Post-Run: 36,064,604,160 bytes free

246 --- E O F --- 2009-06-18 10:40

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 10 July 2009 - 02:42 AM

Log looks nice.. Lets do a fullscan with your ESET.. Tell me if its detects anything.. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 20 July 2009 - 04:09 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users