Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Always Goes To China Website


  • Please log in to reply
17 replies to this topic

#1 zhijie

zhijie

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 09 October 2006 - 11:36 AM

Hi,

My computer is infested with loads of chinese virus. Don't know how to clear it. Tried clearing internert explorer cache, temp folders, boot in safe mode to clear, but still has lots of chinese links.
As you can seefrom the log, there are lots of connections to other ports, which i cant delete using hijackthis.

Hope theres a way to clear this thing.

Heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:27:38 AM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\NUS-VPN\cvpnd.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\Alias\Maya6.5\docs\wrapper.exe
E:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
D:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\tppaldr.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rowan Atkinson\Desktop\HijackThis.exe

O1 - Hosts: 219.139.58.97 www.hao123.com
O1 - Hosts: 219.139.58.97 hao123.com
O1 - Hosts: 219.139.58.97 www.7b.com.cn
O1 - Hosts: 219.139.58.97 7b.com.cn
O1 - Hosts: 219.139.58.97 www.7939.com
O1 - Hosts: 219.139.58.97 www.maohehe.com
O1 - Hosts: 219.139.58.97 www.sina-baidu.com
O1 - Hosts: 219.139.58.97 sina-baidu.com
O1 - Hosts: 219.139.58.97 www.maipao.com
O1 - Hosts: 219.139.58.97 update.virussky.com
O1 - Hosts: 219.139.58.97 down.virussky.com
O1 - Hosts: 219.139.58.97 www.ycdy.com
O1 - Hosts: 219.139.58.97 ycdy.com
O1 - Hosts: 219.139.58.97 www.2tu.cn
O1 - Hosts: 219.139.58.97 2tu.cn
O1 - Hosts: 219.139.58.97 www.91tu.cn
O1 - Hosts: 219.139.58.97 91tu.cn
O1 - Hosts: 219.139.58.97 www.haotop.com
O1 - Hosts: 219.139.58.97 news01.virussky.com
O1 - Hosts: 219.139.58.97 news02.virussky.com
O1 - Hosts: 219.139.58.97 news03.virussky.com
O1 - Hosts: 219.139.58.97 news04.virussky.com
O1 - Hosts: 219.139.58.97 news40.virussky.com
O1 - Hosts: 219.139.58.97 news41.virussky.com
O1 - Hosts: 219.139.58.97 news42.virussky.com
O1 - Hosts: 219.139.58.97 www.an85.com
O1 - Hosts: 219.139.58.97 an85.com
O1 - Hosts: 219.139.58.97 www.360safe.com
O1 - Hosts: 219.139.58.97 360safe.com
O1 - Hosts: 219.139.58.97 dl.360safe.com
O1 - Hosts: 219.139.58.97 bbs.360safe.com
O1 - Hosts: 219.139.58.97 www.gao58.com
O1 - Hosts: 219.139.58.97 count18.51yes.com
O1 - Hosts: 219.139.58.97 www.ok538.com
O1 - Hosts: 219.139.58.97 www.3000sss.com
O1 - Hosts: 219.139.58.97 3000sss.com
O1 - Hosts: 219.139.58.97 www.qq658.com
O1 - Hosts: 219.139.58.97 www.53679.com
O1 - Hosts: 219.139.58.97 www.17587.net
O1 - Hosts: 219.139.58.97 www.17587.com
O1 - Hosts: 219.139.58.97 www.an188.com
O1 - Hosts: 219.139.58.97 cwzwxm.3322.org
O1 - Hosts: 219.139.58.97 www.onediy.net
O1 - Hosts: 219.139.58.97 sohu.fswan.com
O1 - Hosts: 219.139.58.97 www.hewdq.com
O1 - Hosts: 219.139.58.97 go.ipcenter.cn
O1 - Hosts: 219.139.58.97 www.32666.com
O1 - Hosts: 219.139.58.97 show.googleadsenseagent.com
O1 - Hosts: 219.139.58.97 www.2yin.cn
O1 - Hosts: 219.139.58.97 2yin.cn
O1 - Hosts: 219.139.58.97 www.84442.com
O1 - Hosts: 219.139.58.97 www.898333.com
O1 - Hosts: 219.139.58.97 hewdq.com
O1 - Hosts: 219.139.58.97 84442.com
O1 - Hosts: 219.139.58.97 wwww.systeel.com.cn
O1 - Hosts: 219.139.58.97 go.baibaoxiang.cn
O1 - Hosts: 219.139.58.97 www.btbaicai.com
O1 - Hosts: 219.139.58.97 btbaicai.com
O1 - Hosts: 219.139.58.97 www.2t2t.cn
O1 - Hosts: 219.139.58.97 2t2t.cn
O1 - Hosts: 219.139.58.97 3.a.kal.cn
O1 - Hosts: 219.139.58.97 www.222978.com
O1 - Hosts: 219.139.58.97 www.5yaowan.com
O1 - Hosts: 219.139.58.97 show.roogoo.com
O1 - Hosts: 219.139.58.97 ip.alexaanywhere.com
O1 - Hosts: 219.139.58.97 www.znmq.com
O1 - Hosts: 219.139.58.97 www.pctutu.com
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\ctfmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [R] C:\WINDOWS\system32\rundll32.exe msprt.dll s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\NUS-VPN\vpngui.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Decompiler - d:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137948483000
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B10E9E2-E051-470C-B276-A9E05999E333}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: DVDBurn - {790448C3-4239-45AF-C98B-367991A8B103} - C:\WINDOWS\Downloaded Program Files\AfxEdit.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\NUS-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - E:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - D:/Program Files/mysql/bin/mysqld-nt.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - d:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)





Thanks
Zhijie

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 09 October 2006 - 11:52 AM

Hi zhijie, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 11 October 2006 - 06:47 AM

Hi zhijie, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKLM\..\Run: [R] C:\WINDOWS\system32\rundll32.exe msprt.dll s

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

2. Download the Hoster from here! and unzip it to your desktop!
Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • Close the Hoster!
3. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 9). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 5.0 Update 9
5. Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report along with a fresh HijackThis log for review.

#4 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 11 October 2006 - 08:51 AM

Hi,

I downloaded the Hoster, but i cant run it.
always get this "c:\windows\system32\drivers\etc\hosts" not found error

is there anyother softwares in placement?

Thanks
Zhijie

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 12 October 2006 - 10:26 AM

Hi zhijie, :thumbsup:

Do the following instead of running the Hoster (step 2) and then continue with step 3 in my earlier post.

Run HijackThis, click Scan and checkmark the following entries:

O1 - Hosts: 219.139.58.97 www.hao123.com
O1 - Hosts: 219.139.58.97 hao123.com
O1 - Hosts: 219.139.58.97 www.7b.com.cn
O1 - Hosts: 219.139.58.97 7b.com.cn
O1 - Hosts: 219.139.58.97 www.7939.com
O1 - Hosts: 219.139.58.97 www.maohehe.com
O1 - Hosts: 219.139.58.97 www.sina-baidu.com
O1 - Hosts: 219.139.58.97 sina-baidu.com
O1 - Hosts: 219.139.58.97 www.maipao.com
O1 - Hosts: 219.139.58.97 update.virussky.com
O1 - Hosts: 219.139.58.97 down.virussky.com
O1 - Hosts: 219.139.58.97 www.ycdy.com
O1 - Hosts: 219.139.58.97 ycdy.com
O1 - Hosts: 219.139.58.97 www.2tu.cn
O1 - Hosts: 219.139.58.97 2tu.cn
O1 - Hosts: 219.139.58.97 www.91tu.cn
O1 - Hosts: 219.139.58.97 91tu.cn
O1 - Hosts: 219.139.58.97 www.haotop.com
O1 - Hosts: 219.139.58.97 news01.virussky.com
O1 - Hosts: 219.139.58.97 news02.virussky.com
O1 - Hosts: 219.139.58.97 news03.virussky.com
O1 - Hosts: 219.139.58.97 news04.virussky.com
O1 - Hosts: 219.139.58.97 news40.virussky.com
O1 - Hosts: 219.139.58.97 news41.virussky.com
O1 - Hosts: 219.139.58.97 news42.virussky.com
O1 - Hosts: 219.139.58.97 www.an85.com
O1 - Hosts: 219.139.58.97 an85.com
O1 - Hosts: 219.139.58.97 www.360safe.com
O1 - Hosts: 219.139.58.97 360safe.com
O1 - Hosts: 219.139.58.97 dl.360safe.com
O1 - Hosts: 219.139.58.97 bbs.360safe.com
O1 - Hosts: 219.139.58.97 www.gao58.com
O1 - Hosts: 219.139.58.97 count18.51yes.com
O1 - Hosts: 219.139.58.97 www.ok538.com
O1 - Hosts: 219.139.58.97 www.3000sss.com
O1 - Hosts: 219.139.58.97 3000sss.com
O1 - Hosts: 219.139.58.97 www.qq658.com
O1 - Hosts: 219.139.58.97 www.53679.com
O1 - Hosts: 219.139.58.97 www.17587.net
O1 - Hosts: 219.139.58.97 www.17587.com
O1 - Hosts: 219.139.58.97 www.an188.com
O1 - Hosts: 219.139.58.97 cwzwxm.3322.org
O1 - Hosts: 219.139.58.97 www.onediy.net
O1 - Hosts: 219.139.58.97 sohu.fswan.com
O1 - Hosts: 219.139.58.97 www.hewdq.com
O1 - Hosts: 219.139.58.97 go.ipcenter.cn
O1 - Hosts: 219.139.58.97 www.32666.com
O1 - Hosts: 219.139.58.97 show.googleadsenseagent.com
O1 - Hosts: 219.139.58.97 www.2yin.cn
O1 - Hosts: 219.139.58.97 2yin.cn
O1 - Hosts: 219.139.58.97 www.84442.com
O1 - Hosts: 219.139.58.97 www.898333.com
O1 - Hosts: 219.139.58.97 hewdq.com
O1 - Hosts: 219.139.58.97 84442.com
O1 - Hosts: 219.139.58.97 wwww.systeel.com.cn
O1 - Hosts: 219.139.58.97 go.baibaoxiang.cn
O1 - Hosts: 219.139.58.97 www.btbaicai.com
O1 - Hosts: 219.139.58.97 btbaicai.com
O1 - Hosts: 219.139.58.97 www.2t2t.cn
O1 - Hosts: 219.139.58.97 2t2t.cn
O1 - Hosts: 219.139.58.97 3.a.kal.cn
O1 - Hosts: 219.139.58.97 www.222978.com
O1 - Hosts: 219.139.58.97 www.5yaowan.com
O1 - Hosts: 219.139.58.97 show.roogoo.com
O1 - Hosts: 219.139.58.97 ip.alexaanywhere.com
O1 - Hosts: 219.139.58.97 www.znmq.com
O1 - Hosts: 219.139.58.97 www.pctutu.com


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

#6 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 12 October 2006 - 01:09 PM

i cant delete them
this is wat is get when i tried to delete them.

"
An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 219.139.58.97 update.rising.com.cn)
Error #70 - Permission denied

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
"


for all the checked items... even when no other applications are on.



Pls help me.
Thanks
ZJ

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 14 October 2006 - 04:25 AM

Hi zhijie,

Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • Close the Hoster!
If you could run the Hoster now reboot to go back into Normal mode and continue with step 3 in my original post.

If not:

1. Let me know if you get error messages and what hey are;

2. Go to C:\WINDOWS\SYSTEM32\DRIVERS\ETC

See that HOSTS file in there? Open it with notepad.

Delete EVERYTHING in there.

Then, create a line that says:

127.0.0.1 localhost

just like that. Save the file (with no .TXT extension).

Reboot and continue with step 3.

#8 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 14 October 2006 - 08:33 AM

Hi,

I did the second second step and ran the online scan...
Due to insufficient space, i have to stop the scan...

But i think the HOST:129.139.58.97 is persistent. When i cleaned the windows/system32/dirvers/etc/host file, the hijack log showed none of the HOST:129.139.58.97 . But after the online scan, hijack result shows tat the HOST:129.139.58.97 list re-appeared.



Anyway, heres the online scan result:


Scan Statistics
Total number of scanned objects 98708
Number of viruses found 70
Number of infected objects 218 / 0
Number of suspicious objects 2
Duration of the scan process 01:36:42

Infected Object Name Virus Name Last Action
C:\!KillBox\iMeshV4.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.MyWay.k skipped

C:\!KillBox\iMeshV4.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped

C:\!KillBox\iMeshV4.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.EZula.w skipped

C:\!KillBox\iMeshV4.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped

C:\!KillBox\iMeshV4.exe WiseSFX: infected - 4 skipped

C:\!KillBox\iMeshV4.exe( 1)/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.MyWay.k skipped

C:\!KillBox\iMeshV4.exe( 1)/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped

C:\!KillBox\iMeshV4.exe( 1)/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.EZula.w skipped

C:\!KillBox\iMeshV4.exe( 1)/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped

C:\!KillBox\iMeshV4.exe( 1) WiseSFX: infected - 4 skipped

C:\!KillBox\orange_decoder.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.EZula.a skipped

C:\!KillBox\orange_decoder.exe/WISE0017.BIN/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

C:\!KillBox\orange_decoder.exe/WISE0017.BIN/v2.0.4a.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe/WISE0017.BIN/v2.0.4a.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

C:\!KillBox\orange_decoder.exe/WISE0017.BIN/v2.0.4a.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe/WISE0017.BIN/v2.0.4a.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe/WISE0018.BIN/data0005 Infected: Trojan-Downloader.Win32.Agent.ac skipped

C:\!KillBox\orange_decoder.exe/WISE0018.BIN/data0006 Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\!KillBox\orange_decoder.exe/WISE0018.BIN/data0008 Infected: Trojan-Downloader.Win32.Turown.g skipped

C:\!KillBox\orange_decoder.exe/WISE0018.BIN/data0011 Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\!KillBox\orange_decoder.exe/WISE0018.BIN/data0013 Infected: Trojan-Downloader.Win32.VB.cw skipped

C:\!KillBox\orange_decoder.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.VB.cw skipped

C:\!KillBox\orange_decoder.exe/WISE0019.BIN/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\!KillBox\orange_decoder.exe/WISE0019.BIN/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped

C:\!KillBox\orange_decoder.exe/WISE0019.BIN/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\!KillBox\orange_decoder.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\!KillBox\orange_decoder.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.MyWay.c skipped

C:\!KillBox\orange_decoder.exe/WISE0021.BIN/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe/WISE0021.BIN/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe/WISE0021.BIN/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe WiseSFX: infected - 29 skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.EZula.a skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0017.BIN/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0017.BIN/v2.0.4a.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0017.BIN/v2.0.4a.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0017.BIN/v2.0.4a.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0017.BIN/v2.0.4a.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0018.BIN/data0005 Infected: Trojan-Downloader.Win32.Agent.ac skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0018.BIN/data0006 Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0018.BIN/data0008 Infected: Trojan-Downloader.Win32.Turown.g skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0018.BIN/data0011 Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0018.BIN/data0013 Infected: Trojan-Downloader.Win32.VB.cw skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0018.BIN Infected: Trojan-Downloader.Win32.VB.cw skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0019.BIN/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0019.BIN/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0019.BIN/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.MyWay.c skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0021.BIN/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0021.BIN/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0021.BIN/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe( 2)/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped

C:\!KillBox\orange_decoder.exe( 2) WiseSFX: infected - 29 skipped

C:\dbgView.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01240000.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02F80000.VBN Infected: Trojan-Spy.Win32.Delf.jm skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02F80001.VBN Infected: Trojan-Spy.Win32.Delf.jm skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05380000.VBN Infected: Trojan-PSW.Win32.Lmir.axs skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05380001.VBN Infected: Trojan-PSW.Win32.QQPass.hn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40001.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40002.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40003.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40004.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40005.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40006.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40007.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40008.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D40009.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D4000A.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D4000B.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D4000C.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D4000D.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D4000E.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540001.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540002.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540003.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540004.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540005.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540006.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540007.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07540008.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0754000A.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0754000B.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0754000C.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0754000D.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0754000E.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0754000F.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F80000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A5C0000.VBN Infected: Trojan-PSW.Win32.QQRob.fo skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A5C0001.VBN Infected: Trojan-PSW.Win32.QQRob.fo skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780000.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780001.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C140000.VBN Infected: Trojan.Win32.BCB.i skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C140001.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D500000.VBN Infected: Trojan-Spy.Win32.Delf.ss skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D580000.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D740000.VBN Infected: Packed.Win32.NSAnti skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D740001.VBN Infected: Trojan-Spy.Win32.Delf.ss skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D740002.VBN Infected: Trojan-Spy.Win32.Delf.jm skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D800000.VBN Infected: Trojan-PSW.Win32.WOW.da skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D800001.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D800002.VBN Infected: Packed.Win32.NSAnti skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D800003.VBN Infected: Trojan-PSW.Win32.WOW.eo skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D800004.VBN Infected: Rootkit.Win32.Vanti.df skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D800005.VBN Infected: Trojan-PSW.Win32.WOW.eo skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DBC0000.VBN Infected: Worm.Win32.Viking.ae skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DBC0001.VBN Infected: Worm.Win32.Viking.ae skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000000.VBN Infected: Trojan-Spy.Win32.Delf.ss skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000001.VBN Infected: Trojan-PSW.Win32.Lmir.azc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000002.VBN Infected: Packed.Win32.NSAnti skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000003.VBN Infected: Packed.Win32.NSAnti skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000004.VBN Infected: Trojan-Spy.Win32.Delf.ss skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000005.VBN Infected: Trojan-PSW.Win32.WOW.da skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000006.VBN Infected: Backdoor.Win32.Agent.aex skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000007.VBN Infected: Packed.Win32.NSAnti skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000008.VBN Infected: Packed.Win32.NSAnti skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000009.VBN Infected: Trojan-PSW.Win32.WOW.eo skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E00000A.VBN Infected: Rootkit.Win32.Vanti.df skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E00000B.VBN Infected: Trojan-PSW.Win32.WOW.eo skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E200000.VBN Infected: Trojan-Dropper.Win32.Agent.atc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E200001.VBN Infected: Trojan-Dropper.Win32.Agent.atc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00001.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00002.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00003.VBN Infected: not-a-virus:AdWare.Win32.UrlSpy.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00004.VBN Infected: Trojan-Downloader.Win32.Agent.adz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00005.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F200000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F280000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800001.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800002.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800003.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800004.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800005.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800006.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F800007.VBN Infected: Trojan-PSW.Win32.WOW.de skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940001.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB80000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FE00000.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FE00001.VBN Infected: Trojan-PSW.Win32.Lineage.acw skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_358.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\infected.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\Working\database_3E00_5A1A_59_DA0B\dfsr.db Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\Working\database_3E00_5A1A_59_DA0B\fsr.log Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\Working\database_3E00_5A1A_59_DA0B\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Messenger\zhijie1130@hotmail.com\SharingMetadata\Working\database_3E00_5A1A_59_DA0B\tmp.edb Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Windows Live Contacts\zhijie1130@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Application Data\Microsoft\Windows Live Contacts\zhijie1130@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\History\History.IE5\MSHist012006101420061015\index.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Temp\dhcls.dll Infected: Rootkit.Win32.Vanti.df skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Temp\~DF49E2.tmp Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Temp\~DF4A06.tmp Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Temp\~DF60CD.tmp Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Temp\~DF6138.tmp Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Rowan Atkinson\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_509.trc Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\05825246 Infected: not-a-virus:AdWare.Win32.UrlSpy.b skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\08331AD3.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0DC82AF4 Infected: not-a-virus:AdWare.Win32.BiSpy.f skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0E7272E0 Infected: Trojan-Downloader.Win32.Agent.ae skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\141F22D3 Infected: Trojan-Downloader.Win32.Swizzor.az skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\14234CD0 Infected: Trojan-Downloader.Win32.Dyfuca.cs skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\142676CC Infected: Trojan-Downloader.Win32.IstBar.fi skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\142920C8 Infected: Trojan-Downloader.Win32.Dyfuca.cq skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\142D4AC5 Infected: Trojan-Downloader.Win32.Agent.ae skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\143074C1 Infected: Trojan-Downloader.Win32.Agent.ae skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\14331EBE Infected: Trojan-Downloader.Win32.Agent.ae skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\143648BA Infected: Trojan-Downloader.Win32.Agent.ae skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\143A72B6 Infected: not-a-virus:AdWare.Win32.PowerScan.b skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\15D26DFF.class Infected: Trojan.Java.ClassLoader.d skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\163B14E4.dll Infected: Trojan-Dropper.Win32.Gvuz.a skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\168D6E2A.class Infected: Trojan.Java.ClassLoader.d skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C101EA0 Infected: not-a-virus:AdWare.Win32.BiSpy.m skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\251D6FED Infected: Trojan-Downloader.Win32.VB.cw skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\25276DE2 Infected: Trojan-Downloader.Win32.Turown.g skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\252A17DE Infected: Trojan-Downloader.Win32.Turown.i skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2BD8240B Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\30005437.zip/britney.jpg .scr Infected: Email-Worm.Win32.Mabutu.a skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\30005437.zip ZIP: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\30005437.zip CryptFF: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\30734F4D Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\31891CE3 Infected: Trojan-Downloader.Win32.Dyfuca.cr skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\346E69FA/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\346E69FA/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.e skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\346E69FA/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.h skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\346E69FA NSIS: infected - 3 skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\346E69FA CryptFF: infected - 3 skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347213F6 Infected: Trojan-Spy.Win32.Briss.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34753DF3 Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347867EF/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347867EF/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347867EF Embedded CAB: infected - 2 skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\347867EF CryptFF: infected - 2 skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\359B255A Infected: Trojan-Downloader.Win32.Dyfuca.gen skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3D1A58E2 Infected: Trojan-Downloader.Win32.IstBar.fa skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\423D0409 Infected: Trojan-Downloader.JS.IstBar.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\434858E9 Infected: Trojan-Downloader.Win32.Dyfuca.cv skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\474832CD Infected: not-a-virus:AdWare.Win32.WebSearch.aw skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4E664A01.htm Suspicious: Exploit.HTML.Mht skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5C594945 Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5FCB0CDD Infected: Trojan-Downloader.Win32.IstBar.eo skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\638B42CB Infected: not-a-virus:AdWare.Win32.BiSpy.p skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\638E6CC8 Infected: Trojan-Downloader.Win32.Agent.ae skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\65144F0E.exe Infected: Trojan.Win32.StartPage.fg skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\657E1B9E Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\66A22B98 Infected: Trojan-Downloader.JS.IstBar.b skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\68823DD5 Infected: not-a-virus:AdWare.Win32.SideFind skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6C3C572B.htm Suspicious: Exploit.HTML.Mht skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6C497F1D.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6C4C2919.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6C580C07 Infected: Trojan.Win32.Dialer.fu skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6F6F01A5.class Infected: Trojan.Java.ClassLoader.h skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\712D48D4 Infected: not-a-virus:AdWare.Win32.Cydoor skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\71B601FE.class Infected: Trojan.Java.ClassLoader.h skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\763B2D4D Infected: not-a-virus:AdWare.Win32.BiSpy.q skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{773E1770-756D-4B9C-8C25-CE0152673C5E}\RP644\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\MEMORY.DMP Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped

C:\WINDOWS\system32\drivers\etc\hosts Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd8637.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\hsperfdata_SYSTEM\1948 Object is locked skipped

C:\WINDOWS\Temp\hsperfdata_SYSTEM\664 Object is locked skipped

C:\WINDOWS\vmmreg.dll Infected: Trojan-Spy.Win32.Delf.ss skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped







Heres my hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 9:30:44 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\NUS-VPN\cvpnd.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Alias\Maya6.5\docs\wrapper.exe
E:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
D:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rowan Atkinson\Desktop\HijackThis.exe

O1 - Hosts: 219.139.58.97 www.hao123.com
O1 - Hosts: 219.139.58.97 hao123.com
O1 - Hosts: 219.139.58.97 www.7b.com.cn
O1 - Hosts: 219.139.58.97 7b.com.cn
O1 - Hosts: 219.139.58.97 www.7939.com
O1 - Hosts: 219.139.58.97 www.maohehe.com
O1 - Hosts: 219.139.58.97 www.sina-baidu.com
O1 - Hosts: 219.139.58.97 sina-baidu.com
O1 - Hosts: 219.139.58.97 www.maipao.com
O1 - Hosts: 219.139.58.97 update.virussky.com
O1 - Hosts: 219.139.58.97 down.virussky.com
O1 - Hosts: 219.139.58.97 www.ycdy.com
O1 - Hosts: 219.139.58.97 ycdy.com
O1 - Hosts: 219.139.58.97 www.2tu.cn
O1 - Hosts: 219.139.58.97 2tu.cn
O1 - Hosts: 219.139.58.97 www.91tu.cn
O1 - Hosts: 219.139.58.97 91tu.cn
O1 - Hosts: 219.139.58.97 www.haotop.com
O1 - Hosts: 219.139.58.97 news01.virussky.com
O1 - Hosts: 219.139.58.97 news02.virussky.com
O1 - Hosts: 219.139.58.97 news03.virussky.com
O1 - Hosts: 219.139.58.97 news04.virussky.com
O1 - Hosts: 219.139.58.97 news40.virussky.com
O1 - Hosts: 219.139.58.97 news41.virussky.com
O1 - Hosts: 219.139.58.97 news42.virussky.com
O1 - Hosts: 219.139.58.97 www.an85.com
O1 - Hosts: 219.139.58.97 an85.com
O1 - Hosts: 219.139.58.97 www.360safe.com
O1 - Hosts: 219.139.58.97 360safe.com
O1 - Hosts: 219.139.58.97 dl.360safe.com
O1 - Hosts: 219.139.58.97 bbs.360safe.com
O1 - Hosts: 219.139.58.97 www.gao58.com
O1 - Hosts: 219.139.58.97 count18.51yes.com
O1 - Hosts: 219.139.58.97 www.ok538.com
O1 - Hosts: 219.139.58.97 www.3000sss.com
O1 - Hosts: 219.139.58.97 3000sss.com
O1 - Hosts: 219.139.58.97 www.qq658.com
O1 - Hosts: 219.139.58.97 www.53679.com
O1 - Hosts: 219.139.58.97 www.17587.net
O1 - Hosts: 219.139.58.97 www.17587.com
O1 - Hosts: 219.139.58.97 www.an188.com
O1 - Hosts: 219.139.58.97 cwzwxm.3322.org
O1 - Hosts: 219.139.58.97 www.onediy.net
O1 - Hosts: 219.139.58.97 sohu.fswan.com
O1 - Hosts: 219.139.58.97 www.hewdq.com
O1 - Hosts: 219.139.58.97 go.ipcenter.cn
O1 - Hosts: 219.139.58.97 www.32666.com
O1 - Hosts: 219.139.58.97 show.googleadsenseagent.com
O1 - Hosts: 219.139.58.97 www.2yin.cn
O1 - Hosts: 219.139.58.97 2yin.cn
O1 - Hosts: 219.139.58.97 www.84442.com
O1 - Hosts: 219.139.58.97 www.898333.com
O1 - Hosts: 219.139.58.97 hewdq.com
O1 - Hosts: 219.139.58.97 84442.com
O1 - Hosts: 219.139.58.97 wwww.systeel.com.cn
O1 - Hosts: 219.139.58.97 go.baibaoxiang.cn
O1 - Hosts: 219.139.58.97 www.btbaicai.com
O1 - Hosts: 219.139.58.97 btbaicai.com
O1 - Hosts: 219.139.58.97 www.2t2t.cn
O1 - Hosts: 219.139.58.97 2t2t.cn
O1 - Hosts: 219.139.58.97 3.a.kal.cn
O1 - Hosts: 219.139.58.97 www.222978.com
O1 - Hosts: 219.139.58.97 www.5yaowan.com
O1 - Hosts: 219.139.58.97 show.roogoo.com
O1 - Hosts: 219.139.58.97 ip.alexaanywhere.com
O1 - Hosts: 219.139.58.97 www.znmq.com
O1 - Hosts: 219.139.58.97 www.pctutu.com
O1 - Hosts: 219.139.58.97 www.7322.com
O1 - Hosts: 219.139.58.97 www.5566.net
O1 - Hosts: 219.139.58.97 www.9991.com
O1 - Hosts: 219.139.58.97 forum.ikaka.com
O1 - Hosts: 219.139.58.97 www.ikaka.com
O1 - Hosts: 219.139.58.97 www.piaoxue.com
O1 - Hosts: 219.139.58.97 forum.jiangmin.com
O1 - Hosts: 219.139.58.97 post.baidu.com
O1 - Hosts: 219.139.58.97 update.rising.com.cn
O1 - Hosts: 219.139.58.97 online.rising.com.cn
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\ctfmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [R] C:\WINDOWS\system32\rundll32.exe ctfmon.dll s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\NUS-VPN\vpngui.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Decompiler - d:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137948483000
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B10E9E2-E051-470C-B276-A9E05999E333}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: DVDBurn - {790448C3-4239-45AF-C98B-367991A8B103} - C:\WINDOWS\Downloaded Program Files\AfxEdit.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems

#9 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 14 October 2006 - 08:36 AM

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\NUS-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - E:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - D:/Program Files/mysql/bin/mysqld-nt.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - d:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)



Please advise what step should i do.
And my IE's homepage always goes back to "http://www.9505.com/", cant put it to blank or other sites.


Thanks
ZJ

#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 15 October 2006 - 02:01 AM

Hi zhijie, :thumbsup:

Just to tell you that I will work on your post tomorrow morning.

#11 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 15 October 2006 - 11:29 AM

Thanks!

#12 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 18 October 2006 - 04:35 AM

Hi zhijie, :thumbsup:

Sorry for the long wait.

Your log shows the very dangerous Troj/SDBot-06 is present on your computer!

This worm also has backdoor functionalities. It processes the commands on the local machine giving remote users virtual control over the infected system.
It is possible that the remote attacker has added multiple backdoors and/or accounts or even rooted the computer.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

1. Do you run a firewall because I don't see one running? I urge you to do so. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

2. Download this file - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

3. Reboot into Safe mode.

4. Run HijackThis, click Scan and checkmark the following entries:

O1 - Hosts: 219.139.58.97 www.hao123.com
O1 - Hosts: 219.139.58.97 hao123.com
O1 - Hosts: 219.139.58.97 www.7b.com.cn
O1 - Hosts: 219.139.58.97 7b.com.cn
O1 - Hosts: 219.139.58.97 www.7939.com
O1 - Hosts: 219.139.58.97 www.maohehe.com
O1 - Hosts: 219.139.58.97 www.sina-baidu.com
O1 - Hosts: 219.139.58.97 sina-baidu.com
O1 - Hosts: 219.139.58.97 www.maipao.com
O1 - Hosts: 219.139.58.97 update.virussky.com
O1 - Hosts: 219.139.58.97 down.virussky.com
O1 - Hosts: 219.139.58.97 www.ycdy.com
O1 - Hosts: 219.139.58.97 ycdy.com
O1 - Hosts: 219.139.58.97 www.2tu.cn
O1 - Hosts: 219.139.58.97 2tu.cn
O1 - Hosts: 219.139.58.97 www.91tu.cn
O1 - Hosts: 219.139.58.97 91tu.cn
O1 - Hosts: 219.139.58.97 www.haotop.com
O1 - Hosts: 219.139.58.97 news01.virussky.com
O1 - Hosts: 219.139.58.97 news02.virussky.com
O1 - Hosts: 219.139.58.97 news03.virussky.com
O1 - Hosts: 219.139.58.97 news04.virussky.com
O1 - Hosts: 219.139.58.97 news40.virussky.com
O1 - Hosts: 219.139.58.97 news41.virussky.com
O1 - Hosts: 219.139.58.97 news42.virussky.com
O1 - Hosts: 219.139.58.97 www.an85.com
O1 - Hosts: 219.139.58.97 an85.com
O1 - Hosts: 219.139.58.97 www.360safe.com
O1 - Hosts: 219.139.58.97 360safe.com
O1 - Hosts: 219.139.58.97 dl.360safe.com
O1 - Hosts: 219.139.58.97 bbs.360safe.com
O1 - Hosts: 219.139.58.97 www.gao58.com
O1 - Hosts: 219.139.58.97 count18.51yes.com
O1 - Hosts: 219.139.58.97 www.ok538.com
O1 - Hosts: 219.139.58.97 www.3000sss.com
O1 - Hosts: 219.139.58.97 3000sss.com
O1 - Hosts: 219.139.58.97 www.qq658.com
O1 - Hosts: 219.139.58.97 www.53679.com
O1 - Hosts: 219.139.58.97 www.17587.net
O1 - Hosts: 219.139.58.97 www.17587.com
O1 - Hosts: 219.139.58.97 www.an188.com
O1 - Hosts: 219.139.58.97 cwzwxm.3322.org
O1 - Hosts: 219.139.58.97 www.onediy.net
O1 - Hosts: 219.139.58.97 sohu.fswan.com
O1 - Hosts: 219.139.58.97 www.hewdq.com
O1 - Hosts: 219.139.58.97 go.ipcenter.cn
O1 - Hosts: 219.139.58.97 www.32666.com
O1 - Hosts: 219.139.58.97 show.googleadsenseagent.com
O1 - Hosts: 219.139.58.97 www.2yin.cn
O1 - Hosts: 219.139.58.97 2yin.cn
O1 - Hosts: 219.139.58.97 www.84442.com
O1 - Hosts: 219.139.58.97 www.898333.com
O1 - Hosts: 219.139.58.97 hewdq.com
O1 - Hosts: 219.139.58.97 84442.com
O1 - Hosts: 219.139.58.97 wwww.systeel.com.cn
O1 - Hosts: 219.139.58.97 go.baibaoxiang.cn
O1 - Hosts: 219.139.58.97 www.btbaicai.com
O1 - Hosts: 219.139.58.97 btbaicai.com
O1 - Hosts: 219.139.58.97 www.2t2t.cn
O1 - Hosts: 219.139.58.97 2t2t.cn
O1 - Hosts: 219.139.58.97 3.a.kal.cn
O1 - Hosts: 219.139.58.97 www.222978.com
O1 - Hosts: 219.139.58.97 www.5yaowan.com
O1 - Hosts: 219.139.58.97 show.roogoo.com
O1 - Hosts: 219.139.58.97 ip.alexaanywhere.com
O1 - Hosts: 219.139.58.97 www.znmq.com
O1 - Hosts: 219.139.58.97 www.pctutu.com
O1 - Hosts: 219.139.58.97 www.7322.com
O1 - Hosts: 219.139.58.97 www.5566.net
O1 - Hosts: 219.139.58.97 www.9991.com
O1 - Hosts: 219.139.58.97 forum.ikaka.com
O1 - Hosts: 219.139.58.97 www.ikaka.com
O1 - Hosts: 219.139.58.97 www.piaoxue.com
O1 - Hosts: 219.139.58.97 forum.jiangmin.com
O1 - Hosts: 219.139.58.97 post.baidu.com
O1 - Hosts: 219.139.58.97 update.rising.com.cn
O1 - Hosts: 219.139.58.97 online.rising.com.cn
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\ctfmon.exe
O4 - HKLM\..\Run: [R] C:\WINDOWS\system32\rundll32.exe ctfmon.dll s
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5. Go to Start->Run, type CMD and click Ok.

Alternatively, Press Ctrl+Alt+Delete to bring the Task Manager. While holding down the Ctrl key, click on New Task. Once the MSDOS Window comes up, minimize the Task Manager.
At the prompt type the following and press Enter after each line:

SC Stop NetWorkLogon
SC Delete NetWorkLogon
Exit

6. Using Windows Explorer, please delete the following files in bold if listed:

C:\WINDOWS\ctfmon.exe <<The file in the Windows folder and not: C:\WINDOWS\System32\ctfmon.exe which is legit!
C:\Documents and Settings\All Users\Application Data\Symantec\\0F800007.VBN
C:\WINDOWS\vmmreg.dll

Let me know if you had problems with this step.

7. * Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

8. Empty your AV's quarantaine.

Please reboot to go back into Normal mode and post the Combofix log along with a fresh HijackThis log for review.

#13 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 18 October 2006 - 10:54 AM

hi,

Heres my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:45:03 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\NUS-VPN\cvpnd.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\Alias\Maya6.5\docs\wrapper.exe
E:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
D:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rowan Atkinson\Desktop\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\NUS-VPN\vpngui.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Decompiler - d:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137948483000
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B10E9E2-E051-470C-B276-A9E05999E333}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: DVDBurn - {790448C3-4239-45AF-C98B-367991A8B103} - C:\WINDOWS\Downloaded Program Files\AfxEdit.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\NUS-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - E:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - D:/Program Files/mysql/bin/mysqld-nt.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - d:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)




Heres my combo fix log

Rowan Atkinson - 06-10-18 23:04:35.79 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Rowan Atkinson\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-07 15:45 42,231 --a------ C:\wz041.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-11 21:46 -------- d-------- C:\Program Files\Java
2006-09-13 21:10 -------- d-------- C:\Documents and Settings\Rowan Atkinson\Application Data\Azureus
2006-09-02 02:54 -------- d-------- C:\Documents and Settings\Rowan Atkinson\Application Data\Canon
2006-08-10 15:58 30 --------- C:\WINDOWS\system32\wiudeyo.dll
2006-07-21 12:02 22763 ---hs---- C:\WINDOWS\system32\rx.dll
2006-07-21 10:03 81920 --a------ C:\WINDOWS\system32\Packet.dll
2006-07-21 10:03 61440 --a------ C:\WINDOWS\system32\WanPacket.dll
2006-07-19 21:12 47104 ---hs---- C:\WINDOWS\vmmreg.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ZingSpooler"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"TPP Auto Loader"="C:\\WINDOWS\\tppaldr.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"ctfmon"="C:\\WINDOWS\\ctfmon.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"R"="C:\\WINDOWS\\system32\\rundll32.exe ctfmon.dll s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,a2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{3FDEB171-8F86-4669-B664-69B8DB553688}"=""
"{CF49F9F2-A8D3-464F-83EC-6AFC6573C267}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=""
"{C9953583-932E-4EA1-A04B-4523AAB72C30}"=""
"{C54B4DFB-7A2B-6C3E-BA4D-C20F0294B712}"=""
"{08315C1A-9BA9-4B7C-A432-26885F78DF28}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"CheckFaultKernel"="C:\\WINDOWS\\system32\\mswdm.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DVDBurn"="{790448C3-4239-45AF-C98B-367991A8B103}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\GStartup.lnk"
"backup"="C:\\WINDOWS\\pss\\GStartup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\GMT\\GMT.exe /startup"
"item"="GStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Palm\\HOTSYNC.EXE "
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SONYHA~1\\HOTSYNC.EXE "
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^iMesh.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\iMesh.lnk"
"backup"="C:\\WINDOWS\\pss\\iMesh.lnkStartup"
"location"="Startup"
"command"="D:\\PROGRA~1\\iMesh\\Client\\IMESHC~1.EXE -s"
"item"="iMesh"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^StarOffice 7.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\StarOffice 7.lnk"
"backup"="C:\\WINDOWS\\pss\\StarOffice 7.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\STAROF~1\\program\\QUICKS~1.EXE "
"item"="StarOffice 7"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\WinMySQLadmin.lnk"
"backup"="C:\\WINDOWS\\pss\\WinMySQLadmin.lnkStartup"
"location"="Startup"
"command"="D:\\PROGRA~1\\mysql\\bin\\WINMYS~1.EXE "
"item"="WinMySQLadmin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcctMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acemapi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Heart Keep"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\ROWANA~1\\APPLIC~1\\DRAWTI~1\\Heart Keep.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bagsfasttestsettings]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BatItch"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\balm find bags fast\\BatItch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disc Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CtNotify"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BJPSMAIN"
"hkey"="HKLM"
"command"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EbatesMoeMoneyMaker0"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Ebates_MoeMoneyMaker\\EbatesMoeMoneyMaker0.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foroptionuserinternet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ooze mags"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\Knobdentforoption\\ooze mags.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="d:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iedemo"
"hkey"="HKLM"
"command"="C:\\Program Files\\Internet Explorer\\iedemo.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kuro_M7]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"d:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\" /WinStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msbb"
"hkey"="HKLM"
"command"="c:\\program files\\180solutions\\msbb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSNShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnshell"
"hkey"="HKLM"
"command"="D:\\Program Files\\msnshell\\msnshell.exe autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,NewDotNetStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Thunder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ThunderShell"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Thunder Network\\Thunder\\ThunderShell.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Popup Blocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ultimate Pop-up Blocker"
"hkey"="HKCU"
"command"="C:\\Program Files\\Ultimate Pop-up Blocker\\Ultimate Pop-up Blocker.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wjftgwd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vnxzxhbx"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\vnxzxhbx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VKTServ"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A3253755919AA74D.job
C:\WINDOWS\tasks\A40570699192EAB1.job
C:\WINDOWS\tasks\A6D3B6CD91E034F9.job
C:\WINDOWS\tasks\A7DDE98B90C69BAB.job
C:\WINDOWS\tasks\AA8FB84591F428E9.job
C:\WINDOWS\tasks\AE11E3F0918E9788.job
C:\WINDOWS\tasks\AF8DDEEF91A252AF.job
C:\WINDOWS\tasks\B83A71BD9009E4ED.job

Completion time: 06-10-18 23:07:30.25
C:\ComboFix.txt ... 06-10-18 23:07





My first pages is still www.9505.com still. evil chinese virus


Thanks
ZJ

#14 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:00 AM

Posted 20 October 2006 - 10:14 AM

Hi zhijie, :thumbsup:

What about a firewall? I still don't see one! See my previous post for more information.

My first pages is still www.9505.com still. evil chinese virus


Let's start with your last remark.

1. Go to C:\WINDOWS\SYSTEM32\DRIVERS\ETC

See that HOSTS file in there? Open it with notepad.

Delete EVERYTHING in there.

Then, create a line that says:

127.0.0.1 localhost

just like that. Save the file (with no .TXT extension).

2. Click on Start, Settings, Control Panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following program if listed:

EbatesMoeMoneyMaker
New.net Startup; anything with new.net
Gator
Internet optimizer
180solutions


3. Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

4. Open Notepad and copy and paste the following text in the quotebox into it:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{3FDEB171-8F86-4669-B664-69B8DB553688}]

[-HKEY_CLASSES_ROOT\CLSID\{CF49F9F2-A8D3-464F-83EC-6AFC6573C267}]

[-HKEY_CLASSES_ROOT\CLSID\{C9953583-932E-4EA1-A04B-4523AAB72C30}]

[-HKEY_CLASSES_ROOT\CLSID\{C54B4DFB-7A2B-6C3E-BA4D-C20F0294B712}]

[-HKEY_CLASSES_ROOT\CLSID\{08315C1A-9BA9-4B7C-A432-26885F78DF28}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3FDEB171-8F86-4669-B664-69B8DB553688}"=-
"{CF49F9F2-A8D3-464F-83EC-6AFC6573C267}"=-
"{C9953583-932E-4EA1-A04B-4523AAB72C30}"=-
"{C54B4DFB-7A2B-6C3E-BA4D-C20F0294B712}"=-
"{08315C1A-9BA9-4B7C-A432-26885F78DF28}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"CheckFaultKernel"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acemapi]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bagsfasttestsettings]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foroptionuserinternet]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wjftgwd]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

5. Download, install, and update AVG Anti-Spyware 7.5

1. Save the installer to desktop
2. Double click the installer, select your language, and then select OK
3. Click NEXT>>Do or don't read the "User License Agreement"
Select I Agree>>>NEXT>>>INSTALL
4. AVG will now install and afterwards click FINISH
5. AVG Anti-Spyware 7.5 should now Load
6. Click the Update tab at the top. Under Manual Update click Start update.
7. After the update finishes (the status bar at the bottom will display "Update successful")
8. Close AVG Anti-Spyware 7.5. Do not run it yet.

6. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

7. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

8. Using Windows Explorer, please delete the following folders in bold if listed:

C:\DOCUME~1\ROWANA~1\APPLIC~1\DRAWTI~1<<Folder name will begin with DRAWTI
C:\Documents and Settings\All Users\Application Data\balm find bags fast
C:\Program Files\Ebates_MoeMoneyMaker
C:\Documents and Settings\All Users\Application Data\Knobdentforoption
C:\Program Files\Internet Optimizer
c:\program files\180solutions
C:\PROGRA~1\NEWDOT~1<<Look for NEWDOTNET

.......... and files in bold if listed:

C:\WINDOWS\system32\wiudeyo.dll
C:\WINDOWS\system32\rx.dll
C:\WINDOWS\vmmreg.dll
C:\WINDOWS\ctfmon.exe<< Don't delete the legit one which is in C:\\WINDOWS\\system32
C:\WINDOWS\system32\ctfmon.dll
C:\PROGRA~1\COMMON~1\GMT\GMT.exe<<Find it in Program Files\Common Files
C:\Program Files\Internet Explorer\iedemo.exe
C:\WINDOWS\System32\vnxzxhbx.exe
C:\WINDOWS\tasks\A3253755919AA74D.job
C:\WINDOWS\tasks\A40570699192EAB1.job
C:\WINDOWS\tasks\A6D3B6CD91E034F9.job
C:\WINDOWS\tasks\A7DDE98B90C69BAB.job
C:\WINDOWS\tasks\AA8FB84591F428E9.job
C:\WINDOWS\tasks\AE11E3F0918E9788.job
C:\WINDOWS\tasks\AF8DDEEF91A252AF.job
C:\WINDOWS\tasks\B83A71BD9009E4ED.job

9.
  • Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and Uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
10. Run ComboFix once more and post the log in your next reply.

Please reboot to go back into Normal mode and post the ComboFix report along with the AVG Anti-Spyware report and a fresh HjackThis log.

#15 zhijie

zhijie
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 23 October 2006 - 09:18 AM

Hi hi,

Heres my AVG scan
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:18:48 AM 10/23/2006

+ Scan result:



HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Rowan Atkinson\Cookies\rowan atkinson@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{773E1770-756D-4B9C-8C25-CE0152673C5E}\RP648\A0203882.dll -> Trojan.Gamania : Cleaned with backup (quarantined).


::Report end




Heres my hijack this report
Logfile of HijackThis v1.99.1
Scan saved at 10:11:57 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\NUS-VPN\cvpnd.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\Alias\Maya6.5\docs\wrapper.exe
E:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
D:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\Tablet.exe
D:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Rowan Atkinson\Desktop\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C:\Program Files\NUS-VPN\vpngui.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Sothink SWF Decompiler - d:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137948483000
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B10E9E2-E051-470C-B276-A9E05999E333}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: DVDBurn - {790448C3-4239-45AF-C98B-367991A8B103} - C:\WINDOWS\Downloaded Program Files\AfxEdit.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "D:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\NUS-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - E:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "E:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "D:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - D:/Program Files/mysql/bin/mysqld-nt.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - d:\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)



Finally heres my combofix report

Rowan Atkinson - 06-10-22 21:28:06.25 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Rowan Atkinson\Desktop\file"

((((((((((((((((((((((((((((((( Files Created from 2006-09-22 to 2006-10-22 ))))))))))))))))))))))))))))))))))


2006-10-22 15:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-22 15:40 131,482,660 --a------ C:\backup.reg
2006-10-07 15:45 42,231 --a------ C:\wz041.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-22 16:12 -------- d-------- C:\Program Files\Internet Explorer
2006-10-11 21:46 -------- d-------- C:\Program Files\Java
2006-09-13 21:10 -------- d-------- C:\Documents and Settings\Rowan Atkinson\Application Data\Azureus
2006-09-02 02:54 -------- d-------- C:\Documents and Settings\Rowan Atkinson\Application Data\Canon


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ZingSpooler"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"TPP Auto Loader"="C:\\WINDOWS\\tppaldr.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"d:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,a2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DVDBurn"="{790448C3-4239-45AF-C98B-367991A8B103}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Palm\\HOTSYNC.EXE "
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SONYHA~1\\HOTSYNC.EXE "
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^iMesh.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\iMesh.lnk"
"backup"="C:\\WINDOWS\\pss\\iMesh.lnkStartup"
"location"="Startup"
"command"="D:\\PROGRA~1\\iMesh\\Client\\IMESHC~1.EXE -s"
"item"="iMesh"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^StarOffice 7.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\StarOffice 7.lnk"
"backup"="C:\\WINDOWS\\pss\\StarOffice 7.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\STAROF~1\\program\\QUICKS~1.EXE "
"item"="StarOffice 7"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rowan Atkinson^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
"path"="C:\\Documents and Settings\\Rowan Atkinson\\Start Menu\\Programs\\Startup\\WinMySQLadmin.lnk"
"backup"="C:\\WINDOWS\\pss\\WinMySQLadmin.lnkStartup"
"location"="Startup"
"command"="D:\\PROGRA~1\\mysql\\bin\\WINMYS~1.EXE "
"item"="WinMySQLadmin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcctMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disc Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CtNotify"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BJPSMAIN"
"hkey"="HKLM"
"command"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="d:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kuro_M7]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"d:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\" /WinStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSNShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnshell"
"hkey"="HKLM"
"command"="D:\\Program Files\\msnshell\\msnshell.exe autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Thunder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ThunderShell"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Thunder Network\\Thunder\\ThunderShell.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Popup Blocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ultimate Pop-up Blocker"
"hkey"="HKCU"
"command"="C:\\Program Files\\Ultimate Pop-up Blocker\\Ultimate Pop-up Blocker.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VKTServ"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A3253755919AA74D.job
C:\WINDOWS\tasks\A40570699192EAB1.job
C:\WINDOWS\tasks\A6D3B6CD91E034F9.job
C:\WINDOWS\tasks\A7DDE98B90C69BAB.job
C:\WINDOWS\tasks\AA8FB84591F428E9.job
C:\WINDOWS\tasks\AE11E3F0918E9788.job
C:\WINDOWS\tasks\AF8DDEEF91A252AF.job
C:\WINDOWS\tasks\B83A71BD9009E4ED.job

Completion time: 06-10-22 21:30:40.76
C:\ComboFix.txt ... 06-10-22 21:30
C:\ComboFix2.txt ... 06-10-18 23:07



Seems like all is fixed. Thanks thanks man




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users