Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HOW TO REMOVE TENCENT SOSO SEARCH PROVIDER FROM IE8 AND ADD GOOGLE SEARCH


  • This topic is locked This topic is locked
67 replies to this topic

#1 minakochen926

minakochen926

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 07 February 2012 - 03:56 AM

Hi Experts,

Need help as per above topic

I believe the TENCENT SOSO search provider was downloaded together with the QVOD PLAYER (P2P from China) even I have unchecked it. The TENCENT SOSO search provider was set as default search in my ie8 no matter how many times I tried to remove it

My laptop system information:

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name ELLE
System Manufacturer Dell Computer Corporation
System Model Inspiron 600m
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 6 GenuineIntel ~1495 Mhz
BIOS Version/Date Dell Computer Corporation A17, 6/29/2005
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale People's Republic of China
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name ELLE\elle kuek
Time Zone Malay Peninsula Standard Time
Total Physical Memory 512.00 MB
Available Physical Memory 179.62 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.22 GB
Page File C:\pagefile.sys



******************************************************************
I have tried to disable CD Emulation as per BOOPME advice.

I downloaded DeFogger to my desktop, double click to run the application then click the Disable button to disable the CD Emulation drivers. Then it prompts to ask me whether or not to continue, I click on the Yes button to continue. Then I see a Finished! message so I click on the OK button to exit the program. After I click on the OK button, the program did not exit and the DeFogger did not ask me to reboot the laptop. So I just click on the X button to exit the program. Then, I reboot the laptop

After I reboot, I can see a notepad display on the desktop with the file name: defogger_disable. Refer attached.

Continue to run DDS:
I downloaded DDS to my desktop and double click to run the application. A small black DDS window pop out and displays all the sentences as shown in the figure below except the last sentence: We only require it to run just once. Dispose after use.

Posted Image

Then the avast antivirus in my laptop prompt to ask me whether or not to run the application in avast virtual environment sandbox.

open in avast sandbox
open normally


I chose to open normally and click on the OK button. The black window start to display ## one by one. After few minutes, it becomes ############################### in the black window and my laptop just hang there even the CPU usage is 1%.

I waited for an hour but the laptop just hang there. So I reboot the laptop. After that, I continue to create a GMER Log. Refer attached ark file


******************************************************************
I have also tried the following:


Go to ie8 -> tools -> internet option -> general -> change search default -> setting -> remove. But when I open a new ie, it is still there. Then I go to ie8 -> tools -> internet option -> advanced -> reset internet explorer setting -> reset. After reset, I reboot my laptop and open a new ie, the TENCENT SOSO still there.

*******************************************************************

I have also scanned MBAM & SUPERAntiSpyware in safe mode and the log files as per following


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.01.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
elle kuek :: ELLE [administrator]

2/1/2012 3:48:20 PM
mbam-log-2012-02-01 (15-48-20).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 189324
Time elapsed: 40 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



***************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/01/2012 at 06:32 PM

Application Version : 5.0.1142

Core Rules Database Version : 8187
Trace Rules Database Version: 5999

Scan type : Complete Scan
Total Scan Time : 00:44:18

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 449
Memory threats detected : 0
Registry items scanned : 24014
Registry threats detected : 0
File items scanned : 24422
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\elle kuek\Cookies\3ZDFNVUR.txt [ /ad.yieldmanager.com ]

Adware.Qvod
C:\PROGRAM FILES\QVODPLAYER\QVODNET.DLL
C:\PROGRAM FILES\QVODPLAYER\CODECS\QVODPOSTVIDEO.AX
C:\PROGRAM FILES\QVODPLAYER\CODECS\QVODSOURCE.DLL
C:\PROGRAM FILES\QVODPLAYER\NETAGENT.DLL
C:\PROGRAM FILES\QVODPLAYER\QVODDAILY.EXE
C:\PROGRAM FILES\QVODPLAYER\QVODPLAYMEDIA.DLL
C:\PROGRAM FILES\QVODPLAYER\QVODUNINST.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082352.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082353.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082354.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082355.EXE
C:\WINDOWS\Prefetch\QVODDAILY.EXE-29BC7E78.pf


I have quarantined & removed all the infected files that found in SUPERAntiSpyware. But when I open a new ie, the TENCENT SOSO is still there. After removed the quarantined files, my QVOD PLAYER was missing. So I reinstalled it.

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 07 February 2012 - 07:52 AM

Hello minakochen926 and welcome to BC.


We need to see some more logs in order to find the culprit of your problem.


Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 11 February 2012 - 09:51 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 23 February 2012 - 08:55 PM

This topic has been re-opened at the request of the person who originally posted.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 minakochen926

minakochen926
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 27 February 2012 - 12:09 AM

OTL Report

OTL logfile created on: 2/24/2012 12:05:06 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\elle kuek\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.23 Mb Total Physical Memory | 127.82 Mb Available Physical Memory | 25.00% Memory free
1.22 Gb Paging File | 0.81 Gb Available in Paging File | 66.60% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 39.54 Gb Free Space | 70.81% Space Free | Partition Type: NTFS

Computer Name: ELLE | User Name: elle kuek | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/24 00:03:57 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elle kuek\Desktop\OTL.exe
PRC - [2012/02/15 21:43:50 | 000,227,216 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- C:\Program Files\QvodPlayer\QvodDown.exe
PRC - [2012/01/12 20:48:06 | 001,034,128 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- C:\Program Files\QvodPlayer\QvodTerminal.exe
PRC - [2011/12/29 22:29:04 | 000,497,496 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
PRC - [2011/12/05 23:11:00 | 003,539,040 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\Setup\avast.setup
PRC - [2011/11/29 02:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/11/29 02:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/08/12 07:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 08:12:15 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\conime.exe
PRC - [2004/02/02 15:32:16 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/01/12 06:53:30 | 000,360,448 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\ZCfgSvc.exe
PRC - [2004/01/09 10:12:08 | 000,184,320 | ---- | M] (Intel) -- C:\WINDOWS\system32\1XConfig.exe
PRC - [2004/01/09 10:11:36 | 000,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe
PRC - [2004/01/09 10:10:00 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe
PRC - [2003/02/26 11:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/15 17:34:42 | 001,698,304 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\12021500\algo.dll
MOD - [2011/12/05 23:10:22 | 000,213,552 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\Setup\setiface.dll
MOD - [2011/04/21 16:54:40 | 000,347,024 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\madexcept_.bpl
MOD - [2011/04/21 16:54:40 | 000,179,088 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\madbasic_.bpl
MOD - [2011/04/21 16:54:40 | 000,046,480 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\maddisAsm_.bpl
MOD - [2004/01/09 10:10:48 | 000,212,992 | ---- | M] () -- C:\WINDOWS\system32\C1XStngs.dll
MOD - [2003/09/10 02:17:24 | 000,651,264 | ---- | M] () -- C:\WINDOWS\system32\libeay32.dll
MOD - [2003/09/10 02:17:24 | 000,147,456 | ---- | M] () -- C:\WINDOWS\system32\ssleay32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/12/29 22:29:04 | 000,497,496 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/11/29 02:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/08/12 07:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2004/01/09 10:11:36 | 000,303,171 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/01/09 10:10:00 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc)
SRV - [2003/04/29 14:29:54 | 000,139,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/11/29 01:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/29 01:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/29 01:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/29 01:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/29 01:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/29 01:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/11/29 01:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/07/23 00:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/13 05:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/08/01 13:39:17 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2010/07/30 23:18:11 | 000,220,176 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2008/08/26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2004/02/13 10:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2004/01/13 02:41:46 | 002,482,176 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) Intel®
DRV - [2004/01/09 09:49:52 | 000,010,970 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2003/12/11 12:53:22 | 000,091,395 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ozscr.sys -- (O2SCBUS)
DRV - [2003/08/29 05:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/08/21 19:25:52 | 000,094,600 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/07/17 04:27:31 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2003/05/21 18:47:12 | 000,175,360 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/01/03 17:41:00 | 000,540,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2002/11/22 20:01:26 | 000,020,096 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2002/11/18 18:20:44 | 000,030,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gv3.sys -- (gv3)
DRV - [2002/05/13 18:59:20 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [2001/08/17 20:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.my/
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://malaysia.msn.com/?rd=1&ucc=MY&dcc=MY&opt=0
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 7B 2E 89 EA E0 CC 01 [binary data]
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "鐧惧害"
FF - prefs.js..browser.search.selectedEngine: "鐧惧害"
FF - prefs.js..extensions.enabledItems: googledictionary@toptip.ca:2.2
FF - prefs.js..keyword.URL: "http://www.baidu.com/baidu?tn=dealio_dg&wd="

FF - user.js..extensions.enabledItems: googledictionary@toptip.ca:2.2
FF - user.js..browser.search.defaultenginename: "鐧惧害"
FF - user.js..browser.search.selectedEngine: "鐧惧害"
FF - user.js..keyword.URL: "http://www.baidu.com/baidu?tn=dealio_dg&wd="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qvod.com/QvodInsert: C:\Program Files\QvodPlayer\npQvodInsert.dll (Shenzhen QVOD Technology Co.,Ltd)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\crossriderapp498@crossrider.com: C:\Documents and Settings\elle kuek\Local Settings\Application Data\RewardsArcade\498\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/28 18:42:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2010/08/05 14:10:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\elle kuek\Application Data\Mozilla\Extensions
[2012/01/27 15:40:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\elle kuek\Application Data\Mozilla\Firefox\Profiles\24gsamou.default\extensions
[2010/11/15 20:16:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\elle kuek\Application Data\Mozilla\Firefox\Profiles\24gsamou.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/23 23:23:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\ELLE KUEK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\24GSAMOU.DEFAULT\EXTENSIONS\GOOGLEDICTIONARY@TOPTIP.CA.XPI
[2011/11/28 18:42:50 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/26 16:48:52 | 000,003,958 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\baidu.xml
[2011/11/12 18:47:29 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/28 18:42:50 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2003/07/17 04:29:34 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (QvodExtend) - {A8502600-B272-4F68-A67B-A0305D46D297} - C:\Program Files\QvodPlayer\QvodExtend.dll (Shenzhen QVOD Technology Co.,Ltd)
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [QvodTerminal] C:\Program Files\QvodPlayer\QvodTerminal.exe (Shenzhen QVOD Technology Co.,Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Key error. File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279731939800 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6639E225-561C-4DF5-A203-1FDC7D0C64F0}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\Sebring: DllName - (C:\WINDOWS\System32\LgNotify.dll) - C:\WINDOWS\system32\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\elle kuek\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\elle kuek\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/22 00:25:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/24 00:03:46 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\elle kuek\Desktop\OTL.exe
[2012/02/24 00:00:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/02/07 23:24:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\elle kuek\Recent
[2012/02/07 11:48:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/02/07 11:48:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2012/02/07 11:48:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Favorites
[2012/02/07 11:47:05 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\elle kuek\Desktop\dds.scr
[2012/02/01 23:07:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\快播软件
[2012/02/01 23:04:57 | 000,000,000 | ---D | C] -- C:\Program Files\TENCENT
[2012/02/01 17:06:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elle kuek\Application Data\SUPERAntiSpyware.com
[2012/02/01 17:05:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2012/02/01 17:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/02/01 17:05:41 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/01/27 13:31:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elle kuek\Application Data\Leadertech
[2012/01/27 13:28:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\elle kuek\My Documents\My Pictures
[2012/01/27 00:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elle kuek\Desktop\YEN SIM
[2012/01/27 00:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elle kuek\Desktop\YEN CHIN
[2012/01/26 00:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elle kuek\Application Data\IObit
[2012/01/25 22:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/01/25 13:59:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elle kuek\Application Data\Malwarebytes
[2012/01/25 13:59:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/25 13:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/01/25 13:59:42 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/25 13:59:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/24 00:03:57 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elle kuek\Desktop\OTL.exe
[2012/02/24 00:02:58 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5EE719F2-BBAD-4ABC-99C6-2E22E0D49180}.job
[2012/02/24 00:01:00 | 000,000,242 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2012/02/23 23:58:09 | 000,000,102 | -H-- | M] () -- C:\Documents and Settings\elle kuek\update.jpg
[2012/02/23 23:58:07 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag_Startup.job
[2012/02/23 23:57:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/23 23:57:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/07 15:00:43 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\elle kuek\Desktop\pmu16l2t.exe
[2012/02/07 13:17:17 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\elle kuek\Desktop\Defogger.exe
[2012/02/07 11:47:08 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\elle kuek\Desktop\dds.scr
[2012/02/07 11:19:36 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\elle kuek\defogger_reenable
[2012/02/01 23:07:50 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\elle kuek\Application Data\Microsoft\Internet Explorer\Quick Launch\快播.lnk
[2012/02/01 23:07:50 | 000,001,586 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\快播.lnk
[2012/02/01 17:05:51 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/02/01 15:46:26 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/01 14:52:07 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\elle kuek\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/27 15:30:59 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\elle kuek\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/01/25 16:26:56 | 000,153,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/25 13:18:24 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/07 15:00:34 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\elle kuek\Desktop\pmu16l2t.exe
[2012/02/07 13:17:13 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\elle kuek\Desktop\Defogger.exe
[2012/02/07 11:19:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\elle kuek\defogger_reenable
[2012/02/01 23:07:50 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\elle kuek\Application Data\Microsoft\Internet Explorer\Quick Launch\快播.lnk
[2012/02/01 23:07:49 | 000,001,586 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\快播.lnk
[2012/02/01 17:05:51 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/01/25 16:11:49 | 000,000,430 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5EE719F2-BBAD-4ABC-99C6-2E22E0D49180}.job
[2012/01/25 13:59:47 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/11/23 21:40:52 | 000,020,312 | ---- | C] () -- C:\WINDOWS\System32\RegistryDefragBootTime.exe
[2010/08/20 15:17:38 | 000,153,952 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/05 20:18:35 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/08/05 14:09:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/08/01 13:39:12 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2010/08/01 13:39:12 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2010/07/30 23:00:10 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/07/30 22:42:57 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/07/30 18:07:32 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2010/07/26 23:00:41 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\elle kuek\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/25 16:13:03 | 000,004,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2010/07/22 08:14:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/22 08:13:05 | 000,153,976 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/22 00:53:31 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe
[2010/07/22 00:53:31 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe
[2010/07/22 00:45:21 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/07/22 00:43:07 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2010/07/22 00:31:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/22 00:22:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

< End of report >




*****************************************************************

Extras report

OTL Extras logfile created on: 2/24/2012 12:05:06 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\elle kuek\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.23 Mb Total Physical Memory | 127.82 Mb Available Physical Memory | 25.00% Memory free
1.22 Gb Paging File | 0.81 Gb Available in Paging File | 66.60% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 39.54 Gb Free Space | 70.81% Space Free | Partition Type: NTFS

Computer Name: ELLE | User Name: elle kuek | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-299502267-1078145449-1343024091-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\elle kuek\Local Settings\Temporary Internet Files\Content.IE5\XU2ACOR5\QvodSetup5[1].exe" = C:\Documents and Settings\elle kuek\Local Settings\Temporary Internet Files\Content.IE5\XU2ACOR5\QvodSetup5[1].exe:*:Enabled:QVOD
"C:\Program Files\QvodPlayer\QvodTerminal.exe" = C:\Program Files\QvodPlayer\QvodTerminal.exe:*:Enabled:QvodTerminal -- (Shenzhen QVOD Technology Co.,Ltd)
"C:\Documents and Settings\elle kuek\Local Settings\Temporary Internet Files\Content.IE5\V23PCSKE\QvodSetup5[1].exe" = C:\Documents and Settings\elle kuek\Local Settings\Temporary Internet Files\Content.IE5\V23PCSKE\QvodSetup5[1].exe:*:Enabled:QVOD


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{2C351DB8-E088-41A2-9BF0-113727FBB697}" = Intel® PROSet
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7959721D-8268-4565-9E0E-C41A9F4848A9}" = SigmaTel AC97 Audio Drivers
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb" = Microsoft Automated Troubleshooting Services Shim
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E1547FCE-F5DD-4D77-8C71-13B6A2B8F527}" = O2Micro Smartcard Driver
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced SystemCare 5_is1" = Advanced SystemCare 5
"ATI Display Driver" = ATI Display Driver
"avast" = avast! Free Antivirus
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Utility
"CCleaner" = CCleaner
"Foxit Reader" = Foxit Reader
"GooglePinyin2" = 谷歌拼音输入法 2.3
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"InstallShield_{E1547FCE-F5DD-4D77-8C71-13B6A2B8F527}" = O2Micro Smartcard Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"PowerShell" = Windows PowerShell™ 1.0
"QvodPlayer" = 快播 5.1.86
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 2/7/2012 7:35:03 AM | Computer Name = ELLE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2/7/2012 7:35:06 AM | Computer Name = ELLE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/7/2012 7:35:16 AM | Computer Name = ELLE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/7/2012 7:35:53 AM | Computer Name = ELLE | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 2/7/2012 7:35:53 AM | Computer Name = ELLE | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 2/7/2012 7:35:53 AM | Computer Name = ELLE | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 2/7/2012 7:35:53 AM | Computer Name = ELLE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswRdr aswSnx aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss
SASDIFSV
SASKUTIL
Tcpip

Error - 2/7/2012 8:05:48 AM | Computer Name = ELLE | Source = PSched | ID = 14103
Description = QoS [Adapter {6639E225-561C-4DF5-A203-1FDC7D0C64F0}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 2/9/2012 8:10:00 AM | Computer Name = ELLE | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.102 for the Network Card with network
address 000CF1457894 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2/13/2012 10:32:45 AM | Computer Name = ELLE | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.103 for the Network Card with network
address 000CF1457894 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

Edited by minakochen926, 27 February 2012 - 12:24 AM.


#6 minakochen926

minakochen926
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 27 February 2012 - 12:23 AM

After run the OTL, I force to run both the MBAM & SuperAntiSpyware as well as CPU usage became 100% right after I open the IE8.

Below are the reports from both applications. Both also detected TROJAN agents. I have removed all TROJAN agents in MBAM & SuperAntiSpyware. SuperAntiSpyware has also detected QVOD related files & registry but I did not remove them. For your info, QVOD is a P2P similar application whereby I am using it to download movies and dramas.


*****************************************************************************

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.25.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
elle kuek :: ELLE [administrator]

2/25/2012 10:12:22 PM
mbam-log-2012-02-25 (22-12-22).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 213520
Time elapsed: 1 hour(s), 1 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKCR\CLSID\{669751ED-D558-49AE-B01A-3B374CC7910E} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCR\CLSID\{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCR\CLSID\{7CC65B2E-60A7-D6D5-48EF-F39865441834} (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7CC65B2E-60A7-D6D5-48EF-F39865441834} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7CC65B2E-60A7-D6D5-48EF-F39865441834} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7CC65B2E-60A7-D6D5-48EF-F39865441834} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCR\CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCR\CLSID\{9F44453E-1E46-4D5C-B57C-112FF2EDAE82} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\TBH (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{669751ED-D558-49AE-B01A-3B374CC7910E} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{7CC65B2E-60A7-D6D5-48EF-F39865441834} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A57E074F-56D8-4A33-8112-AAC9693AA909} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{669751ED-D558-49AE-B01A-3B374CC7910E} (Trojan.Agent) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\system32\SSup.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\TENCENT\SSPlus\SAddr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\QvodPlayer\QvodBand.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

(end)




********************************************************************

SuperAntiSpyware report


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/25/2012 at 09:43 PM

Application Version : 5.0.1144

Core Rules Database Version : 8187
Trace Rules Database Version: 5999

Scan type : Complete Scan
Total Scan Time : 00:40:37

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 467
Memory threats detected : 1
Registry items scanned : 21380
Registry threats detected : 53
File items scanned : 25336
File threats detected : 37

Adware.Qvod
C:\PROGRAM FILES\QVODPLAYER\QVODPLAYER.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\QvodPlayer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\QvodPlayer.exe#Path
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\快播.LNK
C:\DOCUMENTS AND SETTINGS\ELLE KUEK\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\快播.LNK
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8502600-B272-4F68-A67B-A0305D46D297}
HKCR\CLSID\{A8502600-B272-4F68-A67B-A0305D46D297}
HKCR\CLSID\{A8502600-B272-4F68-A67B-A0305D46D297}
HKCR\CLSID\{A8502600-B272-4F68-A67B-A0305D46D297}\InprocServer32
HKCR\CLSID\{A8502600-B272-4F68-A67B-A0305D46D297}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\QVODPLAYER\QVODEXTEND.DLL
HKU\S-1-5-21-299502267-1078145449-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}#AppID
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Control
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Implemented Categories
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32#ThreadingModel
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\MiscStatus
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\MiscStatus\1
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ProgID
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Programmable
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ToolboxBitmap32
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\TypeLib
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Version
HKCR\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\VersionIndependentProgID
HKCR\QvodInsert.QvodCtrl.1
HKCR\QvodInsert.QvodCtrl.1\CLSID
HKCR\QvodInsert.QvodCtrl
HKCR\QvodInsert.QvodCtrl\CLSID
HKCR\QvodInsert.QvodCtrl\CurVer
HKCR\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}
HKCR\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0
HKCR\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\0
HKCR\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\0\win32
HKCR\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\FLAGS
HKCR\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\HELPDIR
C:\PROGRAM FILES\QVODPLAYER\NPQVODINSERT.DLL
HKU\S-1-5-21-299502267-1078145449-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8502600-B272-4F68-A67B-A0305D46D297}
C:\PROGRAM FILES\QVODPLAYER\CODECS\QVODPOSTVIDEO.AX
C:\PROGRAM FILES\QVODPLAYER\CODECS\QVODSOURCE.DLL
C:\PROGRAM FILES\QVODPLAYER\NETAGENT.DLL
C:\PROGRAM FILES\QVODPLAYER\QVODBAND.DLL
C:\PROGRAM FILES\QVODPLAYER\QVODDAILY.EXE
C:\PROGRAM FILES\QVODPLAYER\QVODDOWN.EXE
C:\PROGRAM FILES\QVODPLAYER\QVODNET.DLL
C:\PROGRAM FILES\QVODPLAYER\QVODPLAYMEDIA.DLL
C:\PROGRAM FILES\QVODPLAYER\QVODTERMINAL.EXE
C:\PROGRAM FILES\QVODPLAYER\QVODUNINST.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082356.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082432.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082433.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP440\A0082434.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090204.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090206.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090207.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090208.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090209.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090212.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090213.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090214.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090215.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090216.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP448\A0090220.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP449\A0090255.AX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP449\A0090257.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP449\A0090380.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP449\A0090381.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP449\A0090382.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D11F8FDA-C310-47A6-86AF-833F738E324C}\RP449\A0090383.LNK
HKCR\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}
HKCR\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ProxyStubClsid
HKCR\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ProxyStubClsid32
HKCR\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\TypeLib
HKCR\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\TypeLib#Version
HKCR\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}
HKCR\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ProxyStubClsid
HKCR\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ProxyStubClsid32
HKCR\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\TypeLib
HKCR\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\TypeLib#Version

Adware.Tencent
HKLM\System\ControlSet001\Services\SOSOUPSVC
C:\PROGRAM FILES\TENCENT\SOSOUPDATE.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_SOSOUPSVC
HKLM\System\ControlSet005\Services\SOSOUPSVC
HKLM\System\ControlSet005\Enum\Root\LEGACY_SOSOUPSVC
HKLM\System\CurrentControlSet\Services\SOSOUPSVC
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SOSOUPSVC
C:\PROGRAM FILES\TENCENT\SOSOUPDATE.EXE

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 27 February 2012 - 09:33 AM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 minakochen926

minakochen926
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 29 February 2012 - 10:26 AM

Hi Sempai, sorry I am very busy at work these few days... unable to download and run the combofix at the moment...
i will be doing it on Saturday (3 March 2012). tq

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 29 February 2012 - 10:59 AM

OK, thank you for letting me know.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 04 March 2012 - 08:48 PM

Hi,

Are you still with me?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 minakochen926

minakochen926
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 04 March 2012 - 09:24 PM

sorry Sempai, I am still with you. I will download the combofix and do the necessary now.
I was working last weekend for both Sat and Sunday. Luckily I have a day off today.

#12 minakochen926

minakochen926
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 04 March 2012 - 11:33 PM

Hi Sempai, I leave my laptop alone while combofix is running... but something seems wrong...

After I double clicked the combofix, the prompt shows Mandarin words rather than English. Luckily I can read Chinese, so I just follow the instruction to download the Microsoft Windows Recovery Console and click "agree" on the end user license agreement then click "yes" to continue scanning for malware

After that, I leave my laptop alone as per your instruction. I checked out my laptop after half an hour. The laptop screen blackout so I moved the mouse a few times just to see the screen (I did not click). But it did not shows the screen.

I was worry so I click the mouse a few times but the screen remains in black. I also clicked the restart button but the screen remains in black.

I don't know what to do but just leave it alone now. Hopefully I did not make it stall

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 05 March 2012 - 10:06 AM

Hi,

Please do a hard reset, Combofix may or may not continue working after the reboot. Please let it run uninterrupted if it does.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 minakochen926

minakochen926
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 05 March 2012 - 11:04 AM

Hi Sempai.

After I done the hard reboot, The laptop shown the black screen with 3 selections I.e. Windows recovery console mode, windows safety mode & windows normal mode. But before I can read all the words & choose, windows start normally.

After windows start, I disabled the avast inside the laptop & rerun the combofix. The combofix continue with the malware scanning. I leave the laptop alone & see what is going on. After 20-30 minutes, the laptop screen blackout again even I did not touch anything.

Should I do the hard reset again?

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:58 PM

Posted 05 March 2012 - 11:08 AM

Is the Laptop currently set to power saving mode? Are you using other PC to post in this thread?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users