Jump to content


Photo

Win32.Agent.akv virus/spyware


  • This topic is locked This topic is locked
42 replies to this topic

#1 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 30 May 2007 - 06:11 AM

Hi,

I've been recently infected and despite my best attempt with Kaspersky Anti-Virus & Spybot, it simply wouldn't seem to go. Previously, I was infected with sunny.exe (which seems to me to be a China-virus as I got it after my Chinese friend pass me his thumbdrive), and as I was trying to clean it, I got infected with more spyware. Kaspersky Antivirus always seem to keep detecting and deleting the file (c:\windows\system32\manager.dll) file away but after rebooting, it would still resurface. I scanned with Panda Antivirus and it detected no spyware. However, after rebooting, Kaspersky warned about the Agent.akv virus again.

Really appreciate your help here.

Hijack log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:47:59 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kangming.lan.2003\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.c...esearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pccw.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intra.pcpd.com;intra.pccw.com;<local>
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [Anti-Spy Tools] C:\Documents and Settings\kangming.lan.2003\Desktop\ast\AST.exe -min
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177574774078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177574766890
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 13485 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 01 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 02 June 2007 - 04:18 AM

Hi,

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 03 June 2007 - 01:11 PM

Hi Jedi,

Thanks so much for your help. Below is the log file.

"kangming.lan.2003" - 2007-06-04 1:34:39 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\kangming.lan.2003\Desktop\"

/wow section - STAGE #1

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\0.txt"
"C:\WINDOWS\system32\1.txt"
"C:\WINDOWS\system32\packet.dll"
"C:\WINDOWS\system32\pthreadVC.dll"
"C:\WINDOWS\system32\wpcap.dll"
"C:\WINDOWS\system32\cdnprot.dat"
"C:\WINDOWS\system32\mprmsgse.axz"
"C:\WINDOWS\system32\mscpx32r.det"
"C:\WINDOWS\system32\drivers\npf.sys"
"C:\WINDOWS\temp\cache"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_CDNPROT
-------\LEGACY_MEDIE_SARIEL_NUMBER_SERVICES
-------\NPF


((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-01 10:44 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\dvdcss
2007-05-31 19:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-05-30 10:14 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-05-30 01:25 83,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-30 01:25 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-05-30 01:25 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-30 01:25 7,494,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-30 01:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-05-30 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-30 01:17 <DIR> d-------- C:\KAV
2007-05-29 23:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-22 21:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 16:37 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\U3
2007-05-15 12:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-15 12:05 <DIR> d-------- C:\Program Files\Monarch
2007-05-15 12:05 <DIR> d-------- C:\Program Files\Common Files\Datawatch Shared
2007-05-14 07:44 34,661 --a------ C:\WINDOWS\system32\MSVCRED.DLL
2007-05-14 07:44 226,816 --a------ C:\WINDOWS\system32\MPCNES4.DLL
2007-05-14 07:44 182,272 --a------ C:\WINDOWS\system32\NNOTEPAD.EXE
2007-05-14 07:44 <DIR> d-------- C:\WINDOWS\speech
2007-05-12 22:47 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-12 22:47 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-12 22:47 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-12 22:47 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-12 22:47 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-12 22:47 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-12 22:47 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-12 22:46 91,392 --a------ C:\WINDOWS\system32\drivers\P1171Vid.sys
2007-05-12 22:46 81,920 --a------ C:\WINDOWS\CtDrvIns.exe
2007-05-12 22:46 69,632 --a------ C:\WINDOWS\system32\P1171Sti.dll
2007-05-12 22:46 65,536 --a------ C:\WINDOWS\system32\CtCamMgr.dll
2007-05-12 22:46 57,344 --a------ C:\WINDOWS\system32\P1171Hwx.dll
2007-05-12 22:46 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-12 22:46 36,864 --a------ C:\WINDOWS\system32\P1171Pin.dll
2007-05-12 22:46 20,480 --a------ C:\WINDOWS\system32\P1171Srv.exe
2007-05-12 22:46 20,480 --a------ C:\WINDOWS\P1171Cfg.exe
2007-05-12 22:46 126,976 --a------ C:\WINDOWS\system32\P1171Vfw.dll
2007-05-12 22:46 <DIR> d-------- C:\WCamNbook
2007-05-12 22:30 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Creative
2007-05-12 22:10 24,576 --a------ C:\WINDOWS\system32\V0250Aor.dll
2007-05-12 22:10 <DIR> d-------- C:\WINDOWS\CtDrvInstall
2007-05-12 22:10 <DIR> d-------- C:\Program Files\Creative
2007-05-12 22:09 <DIR> d-------- C:\Live! Cam
2007-05-09 20:22 299,008 --a------ C:\WINDOWS\uninst.exe
2007-05-09 20:22 <DIR> d-------- C:\Documents and Settings\kangming.lan.2003\WINDOWS
2007-05-09 20:22 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\WINDOWS
2007-05-09 19:58 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-05-09 19:22 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-05-09 19:21 77,824 --a------ C:\WINDOWS\system32\fun_mp4_dec.dll
2007-05-09 19:21 684,032 --a------ C:\WINDOWS\system32\fun_mp4_enc.dll
2007-05-09 19:21 2,729,472 --a------ C:\WINDOWS\system32\fun_avcodec.dll
2007-05-09 19:21 <DIR> d-------- C:\WINDOWS\system32\Samsung PC Studio Codecs
2007-05-09 19:21 <DIR> d-------- C:\Program Files\Samsung
2007-05-09 19:19 <DIR> d-------- C:\Documents and Settings\kangming.lan.2003\Bluetooth Software
2007-05-09 19:19 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\Bluetooth Software
2007-05-06 23:36 <DIR> d-------- C:\Program Files\Gabest
2007-05-06 12:17 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 17:33:04 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Skype
2007-06-03 15:11:13 -------- d-----w C:\Program Files\eMule
2007-06-01 18:39:39 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Hamachi
2007-05-30 02:42:22 -------- d-----w C:\Program Files\Windows Defender
2007-05-30 02:41:59 -------- d-----w C:\Program Files\SMU-VPN
2007-05-30 02:40:42 -------- d-----w C:\Program Files\palmOne
2007-05-30 02:37:06 -------- d-----w C:\Program Files\Launch Manager
2007-05-30 02:34:56 -------- d-----w C:\Program Files\Google
2007-05-29 17:03:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 16:51:08 -------- d-----w C:\Program Files\Real Alternative
2007-05-29 16:50:27 -------- d-----w C:\Program Files\PowerISO
2007-05-17 07:55:07 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-05-12 13:17:54 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Screenshot Sender
2007-05-06 04:23:54 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-05-05 14:42:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-05-05 04:10:28 -------- d-----w C:\Program Files\TTPlayer
2007-05-04 16:36:02 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-02 13:09:00 -------- d-----w C:\Program Files\QuickTime
2007-05-02 12:55:54 -------- d-----w C:\Program Files\Apple Software Update
2007-04-30 01:53:38 -------- d-----w C:\Program Files\Joost
2007-04-30 01:53:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Joost
2007-04-30 00:31:20 -------- d-----w C:\Program Files\BinarySense
2007-04-29 14:26:39 -------- d-----w C:\Program Files\PowerPlugs
2007-04-28 08:09:06 -------- d--h--r C:\DOCUME~1\KANGMI~1.200\APPLIC~1\SecuROM
2007-04-28 03:52:59 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-04-27 02:50:40 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Real
2007-04-27 02:43:19 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Ahead
2007-04-27 02:30:21 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-27 02:27:58 -------- d-----w C:\Program Files\Nero
2007-04-27 01:38:17 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Media Player Classic
2007-04-26 20:14:58 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-04-26 19:47:08 22,832 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-26 19:16:00 -------- d-----w C:\Program Files\acer
2007-04-26 19:12:56 -------- d-----w C:\Program Files\WIDCOMM
2007-04-26 19:10:20 17,119 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-26 19:08:08 -------- d-----w C:\Program Files\WinPCap
2007-04-26 19:06:04 -------- d-----w C:\Program Files\ATI Technologies
2007-04-26 17:38:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-26 16:01:46 -------- d-----w C:\Program Files\Picasa2
2007-04-26 15:54:02 -------- d-----w C:\Program Files\SlySoft
2007-04-26 15:35:23 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-26 15:35:20 -------- d-----w C:\Program Files\Alcohol Soft
2007-04-26 12:36:46 -------- d-----w C:\Program Files\Skype
2007-04-26 12:36:45 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-26 12:24:43 -------- d-----w C:\Program Files\Media Player Classic
2007-04-26 12:23:09 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\vlc
2007-04-26 11:52:49 -------- d-----w C:\Program Files\Hamachi
2007-04-26 11:52:14 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-26 11:47:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\WinRAR
2007-04-26 11:36:24 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Apple Computer
2007-04-26 11:36:17 -------- d-----w C:\Program Files\iTunes
2007-04-26 11:36:04 -------- d-----w C:\Program Files\iPod
2007-04-26 11:30:40 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Leadertech
2007-04-26 11:23:53 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\HotSync
2007-04-26 11:23:48 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-04-26 11:23:47 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-04-26 11:17:57 -------- d-----w C:\Program Files\VideoLAN
2007-04-26 11:09:49 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8413.sys
2007-04-26 11:09:49 643,072 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-26 10:03:29 -------- d-----w C:\Program Files\Microsoft Works
2007-04-26 10:00:13 -------- d-----w C:\Program Files\Messenger
2007-04-26 09:56:06 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-26 08:05:47 -------- d-----w C:\Program Files\BitComet
2007-04-26 05:30:14 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Google
2007-04-26 04:54:26 -------- d-----w C:\Program Files\Common Files\Deterministic Networks
2007-04-26 04:43:44 -------- d-----w C:\Program Files\Common Files\L&H
2007-04-26 04:43:29 -------- d-----w C:\Program Files\Microsoft.NET
2007-04-26 04:43:01 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-26 04:37:16 -------- d-----w C:\Program Files\CA
2007-04-26 02:57:14 471 ----a-w C:\WINDOWS\CLEANUP.CMD
2007-04-26 02:56:58 797 ----a-w C:\WINDOWS\HotFix.bat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 14:07:39 73,928 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-04-09 12:27:07 31,548 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2007-04-08 09:15:08 131,584 ----a-w C:\WINDOWS\system32\gc.dll
2007-04-01 12:34:21 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 11:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-03-14 11:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-03-09 11:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll [2007-04-29 17:29]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-04-26 13:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-08 21:05]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-03-28 18:04]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-24 09:13]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 12:00 C:\WINDOWS\system32\bthprops.cpl]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2005-09-05 11:43]
"eRecoveryService"="C:\Program Files\Acer\eRecovery\Monitor.exe" [2005-06-29 17:26]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-26 13:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11]
"Anti-Spy Tools"="C:\Documents and Settings\kangming.lan.2003\Desktop\ast\AST.exe" []
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-26 13:28]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"PCMService"="C:\Program Files\Arcade\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Realtime Monitor"=C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a92dfc6c-0801-11dc-a2c9-00c09f9d81cc}]
AutoRun\command- reper.exe


Contents of the 'Scheduled Tasks' folder
2007-05-23 09:04:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-03 17:47:58 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-03 17:53:50 C:\WINDOWS\tasks\User_Feed_Synchronization-{4217A364-9520-48AB-A3CC-B8E9740D0C55}.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 01:43:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-04 1:56:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 01:56

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\0.txt"
"C:\WINDOWS\system32\1.txt"
"C:\WINDOWS\system32\packet.dll"
"C:\WINDOWS\system32\pthreadVC.dll"
"C:\WINDOWS\system32\wpcap.dll"
"C:\WINDOWS\system32\cdnprot.dat"
"C:\WINDOWS\system32\mprmsgse.axz"
"C:\WINDOWS\system32\mscpx32r.det"
"C:\WINDOWS\system32\drivers\npf.sys"
"C:\WINDOWS\temp\cache"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_CDNPROT
-------\LEGACY_MEDIE_SARIEL_NUMBER_SERVICES
-------\NPF


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_CDNPROT
-------\LEGACY_MEDIE_SARIEL_NUMBER_SERVICES
-------\NPF


((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))

#5 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 03 June 2007 - 02:54 PM

Hi,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#6 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 04 June 2007 - 12:42 PM

Hi,

This is the DrWeb log. However, there are no options to move the incurable files specifically, only a "move" function without specifying what kind of files.

A0010571.reg;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP69;Trojan.StartPage.1505;Deleted.;
A0010747.reg;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP72;Trojan.StartPage.1505;Deleted.;
A0012964.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP78;Adware.Cdn;Moved.;
A0013003.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013006.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013007.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013008.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013013.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013015.sys;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013016.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013018.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013020.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013021.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013025.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013026.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013027.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013029.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013030.exe;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013032.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013033.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013035.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013037.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013039.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013040.dll;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79;Adware.Cdn;Moved.;
A0013220.reg;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP81;Trojan.StartPage.1505;Deleted.;
A0015097.reg;C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP88;Trojan.StartPage.1505;Deleted.;

Thanks again.

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 05 June 2007 - 11:10 AM

Hi again,

Ok, it's looking good, please post a new HiJackThis log, and let me know how your PC is performing now.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 05 June 2007 - 07:03 PM

Hi Jedi,

I did a Hijack this scan in normal bootup and here's the report. However, upon booting up, Kaspersky reports that backdoor.win32.hupigon.aqy has been found and I chose to delete it. System seems to be sluggish compared to before, but I'm not sure if it is due to Kaspersky's active scanning and protection.

Thanks again!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:56, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Documents and Settings\kangming.lan.2003\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pccw.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intra.pcpd.com;intra.pccw.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [Anti-Spy Tools] C:\Documents and Settings\kangming.lan.2003\Desktop\ast\AST.exe -min
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177574774078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177574766890
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 12566 bytes

#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 June 2007 - 04:35 AM

Hi again,

Ok, let's run an on-line scan and see if it picks up any leftovers:

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 06 June 2007 - 06:17 PM

Hi,

I just finish the scan and it didn't pick up anything.

BitDefender Online Scanner - Real Time Virus Report



Generated at: Thu, Jun 07, 2007 - 07:10:53


--------------------------------------------------------------------------------





Scan Info



Scanned Files
226124

Infected Files
0








Virus Detected



No virus found.





Statistics

Time
01:15:12

Files
220976

Folders
4976

Boot Sectors
4

Archives
11544

Packed Files
17067




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
512060

Engine build
AVCORE v1.0 (build 2409) (i386) (May 9 2007 18:01:21)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 June 2007 - 12:37 PM

Hi again,

Ok, it looks like Kapersky is detecting this:

O20 - AppInit_DLLs: C:\WINDOWS\system32\Manager.dll

Please go here:
http://virusscan.jotti.org/
Browse to and upload this file:
C:\WINDOWS\system32\Manager.dll
and submit it.
Post the results here.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#12 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 07 June 2007 - 07:12 PM

Hi,

Below are the results. Kaspersky deletes on every startup. Besides Trojan.Win32.Agent.akv, and the latest Backdoor.Win32.Hupigon.aqy, I'm also infected by Trojan-Downloader.Win32.Small.efu, Packed.Win32.PePatch.fy,

Scan taken on 08 Jun 2007 00:03:55 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.Hupigon.aqy
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Hupigon.aqy
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Here's my latest Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:07, on 2007-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Documents and Settings\kangming.lan.2003\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pccw.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intra.pcpd.com;intra.pccw.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [Anti-Spy Tools] C:\Documents and Settings\kangming.lan.2003\Desktop\ast\AST.exe -min
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177574774078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177574766890
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 13157 bytes

Thanks!

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 June 2007 - 06:22 AM

Hi again,

Yes, it looks like there's more to go, please run ComboFix again, I need the log. Here's the download in case you deleted it.

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#14 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 08 June 2007 - 10:43 AM

Hi,

thanks for your help! :)

"kangming.lan.2003" - 2007-06-08 23:12:23 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\kangming.lan.2003\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 ))))))))))))))))))))))))))))))))))


2007-06-06 21:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-06 17:39 <DIR> d-------- C:\Program Files\iTunes
2007-06-06 17:39 <DIR> d-------- C:\Program Files\iPod
2007-06-04 14:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-06-04 01:56 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 10:44 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\dvdcss
2007-05-31 19:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-05-30 10:14 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-05-30 01:25 9,510,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-30 01:25 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-05-30 01:25 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-30 01:25 236,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-30 01:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-05-30 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-30 01:17 <DIR> d-------- C:\KAV
2007-05-29 23:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-22 21:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 16:37 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\U3
2007-05-15 12:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-15 12:05 <DIR> d-------- C:\Program Files\Monarch
2007-05-15 12:05 <DIR> d-------- C:\Program Files\Common Files\Datawatch Shared
2007-05-14 07:44 34,661 --a------ C:\WINDOWS\system32\MSVCRED.DLL
2007-05-14 07:44 226,816 --a------ C:\WINDOWS\system32\MPCNES4.DLL
2007-05-14 07:44 182,272 --a------ C:\WINDOWS\system32\NNOTEPAD.EXE
2007-05-14 07:44 <DIR> d-------- C:\WINDOWS\speech
2007-05-12 22:47 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-12 22:47 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-12 22:47 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-12 22:47 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-12 22:47 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-12 22:47 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-12 22:47 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-12 22:46 91,392 --a------ C:\WINDOWS\system32\drivers\P1171Vid.sys
2007-05-12 22:46 81,920 --a------ C:\WINDOWS\CtDrvIns.exe
2007-05-12 22:46 69,632 --a------ C:\WINDOWS\system32\P1171Sti.dll
2007-05-12 22:46 65,536 --a------ C:\WINDOWS\system32\CtCamMgr.dll
2007-05-12 22:46 57,344 --a------ C:\WINDOWS\system32\P1171Hwx.dll
2007-05-12 22:46 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-12 22:46 36,864 --a------ C:\WINDOWS\system32\P1171Pin.dll
2007-05-12 22:46 20,480 --a------ C:\WINDOWS\system32\P1171Srv.exe
2007-05-12 22:46 20,480 --a------ C:\WINDOWS\P1171Cfg.exe
2007-05-12 22:46 126,976 --a------ C:\WINDOWS\system32\P1171Vfw.dll
2007-05-12 22:46 <DIR> d-------- C:\WCamNbook
2007-05-12 22:30 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Creative
2007-05-12 22:10 24,576 --a------ C:\WINDOWS\system32\V0250Aor.dll
2007-05-12 22:10 <DIR> d-------- C:\WINDOWS\CtDrvInstall
2007-05-12 22:10 <DIR> d-------- C:\Program Files\Creative
2007-05-12 22:09 <DIR> d-------- C:\Live! Cam
2007-05-09 20:22 299,008 --a------ C:\WINDOWS\uninst.exe
2007-05-09 20:22 <DIR> d-------- C:\Documents and Settings\KANGMI~1.200\WINDOWS
2007-05-09 20:22 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\WINDOWS
2007-05-09 19:58 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-05-09 19:22 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-05-09 19:21 77,824 --a------ C:\WINDOWS\system32\fun_mp4_dec.dll
2007-05-09 19:21 684,032 --a------ C:\WINDOWS\system32\fun_mp4_enc.dll
2007-05-09 19:21 2,729,472 --a------ C:\WINDOWS\system32\fun_avcodec.dll
2007-05-09 19:21 <DIR> d-------- C:\WINDOWS\system32\Samsung PC Studio Codecs
2007-05-09 19:21 <DIR> d-------- C:\Program Files\Samsung
2007-05-09 19:19 <DIR> d-------- C:\Documents and Settings\KANGMI~1.200\Bluetooth Software
2007-05-09 19:19 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\Bluetooth Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 14:26:25 -------- d-----w C:\Program Files\eMule
2007-06-06 10:26:10 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Google
2007-06-06 10:24:00 -------- d-----w C:\Program Files\Google
2007-06-05 23:48:01 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Skype
2007-06-05 23:47:44 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Hamachi
2007-05-30 02:42:22 -------- d-----w C:\Program Files\Windows Defender
2007-05-30 02:41:59 -------- d-----w C:\Program Files\SMU-VPN
2007-05-30 02:40:42 -------- d-----w C:\Program Files\palmOne
2007-05-30 02:37:06 -------- d-----w C:\Program Files\Launch Manager
2007-05-29 17:03:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 16:51:08 -------- d-----w C:\Program Files\Real Alternative
2007-05-29 16:50:27 -------- d-----w C:\Program Files\PowerISO
2007-05-17 07:55:07 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-05-12 13:17:54 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Screenshot Sender
2007-05-06 15:36:17 -------- d-----w C:\Program Files\Gabest
2007-05-06 04:23:54 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-05-05 14:42:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-05-05 04:10:28 -------- d-----w C:\Program Files\TTPlayer
2007-05-04 16:36:02 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-02 13:09:00 -------- d-----w C:\Program Files\QuickTime
2007-05-02 12:55:54 -------- d-----w C:\Program Files\Apple Software Update
2007-04-30 01:53:38 -------- d-----w C:\Program Files\Joost
2007-04-30 01:53:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Joost
2007-04-30 00:31:20 -------- d-----w C:\Program Files\BinarySense
2007-04-29 14:26:39 -------- d-----w C:\Program Files\PowerPlugs
2007-04-28 08:09:06 -------- d--h--r C:\DOCUME~1\KANGMI~1.200\APPLIC~1\SecuROM
2007-04-28 03:52:59 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-04-27 02:50:40 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Real
2007-04-27 02:43:19 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Ahead
2007-04-27 02:30:21 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-27 02:27:58 -------- d-----w C:\Program Files\Nero
2007-04-27 01:38:17 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Media Player Classic
2007-04-26 20:14:58 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-04-26 19:47:08 22,832 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-26 19:16:00 -------- d-----w C:\Program Files\acer
2007-04-26 19:12:56 -------- d-----w C:\Program Files\WIDCOMM
2007-04-26 19:10:20 17,119 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-26 19:08:08 -------- d-----w C:\Program Files\WinPCap
2007-04-26 19:06:04 -------- d-----w C:\Program Files\ATI Technologies
2007-04-26 17:38:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-26 16:01:46 -------- d-----w C:\Program Files\Picasa2
2007-04-26 15:54:02 -------- d-----w C:\Program Files\SlySoft
2007-04-26 15:35:23 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-26 15:35:20 -------- d-----w C:\Program Files\Alcohol Soft
2007-04-26 12:36:46 -------- d-----w C:\Program Files\Skype
2007-04-26 12:36:45 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-26 12:24:43 -------- d-----w C:\Program Files\Media Player Classic
2007-04-26 12:23:09 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\vlc
2007-04-26 11:52:49 -------- d-----w C:\Program Files\Hamachi
2007-04-26 11:52:14 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-26 11:47:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\WinRAR
2007-04-26 11:36:24 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Apple Computer
2007-04-26 11:30:40 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Leadertech
2007-04-26 11:23:53 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\HotSync
2007-04-26 11:23:48 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-04-26 11:23:47 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-04-26 11:17:57 -------- d-----w C:\Program Files\VideoLAN
2007-04-26 11:09:49 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8413.sys
2007-04-26 11:09:49 643,072 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-26 10:03:29 -------- d-----w C:\Program Files\Microsoft Works
2007-04-26 10:00:13 -------- d-----w C:\Program Files\Messenger
2007-04-26 09:56:06 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-26 08:05:47 -------- d-----w C:\Program Files\BitComet
2007-04-26 04:54:26 -------- d-----w C:\Program Files\Common Files\Deterministic Networks
2007-04-26 04:43:44 -------- d-----w C:\Program Files\Common Files\L&H
2007-04-26 04:43:29 -------- d-----w C:\Program Files\Microsoft.NET
2007-04-26 04:43:01 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-26 04:37:16 -------- d-----w C:\Program Files\CA
2007-04-26 02:57:14 471 ----a-w C:\WINDOWS\CLEANUP.CMD
2007-04-26 02:56:58 797 ----a-w C:\WINDOWS\HotFix.bat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 14:07:39 73,928 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-04-09 12:27:07 31,548 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2007-04-08 09:15:08 131,584 ----a-w C:\WINDOWS\system32\gc.dll
2007-04-01 12:34:21 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-14 11:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-03-14 11:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-03-09 11:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll [2007-04-29 17:29]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-04-26 13:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-08 21:05]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-03-28 18:04]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-24 09:13]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 12:00 C:\WINDOWS\system32\bthprops.cpl]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2005-09-05 11:43]
"eRecoveryService"="C:\Program Files\Acer\eRecovery\Monitor.exe" [2005-06-29 17:26]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-26 13:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11]
"Anti-Spy Tools"="C:\Documents and Settings\kangming.lan.2003\Desktop\ast\AST.exe" []
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-26 13:28]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"PCMService"="C:\Program Files\Arcade\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Realtime Monitor"=C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a92dfc6c-0801-11dc-a2c9-00c09f9d81cc}]
AutoRun\command- reper.exe


Contents of the 'Scheduled Tasks' folder
2007-06-06 09:04:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-08 11:11:10 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-08 14:16:30 C:\WINDOWS\tasks\User_Feed_Synchronization-{4217A364-9520-48AB-A3CC-B8E9740D0C55}.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 23:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-08 23:16:57
C:\ComboFix-quarantined-files.txt ... 2007-06-08 23:16
C:\ComboFix2.txt ... 2007-06-04 01:58

--- E O F ---

Edited by swop, 08 June 2007 - 10:44 AM.


#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 09 June 2007 - 03:44 AM

Hi again,

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a92dfc6c-0801-11dc-a2c9-00c09f9d81cc}]



Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Next:

Download GMER from here:
http://www.majorgeek...GMER_d5198.html

Unzip it to desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, apart from ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#16 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 09 June 2007 - 03:41 PM

Hi Jedi,

Did what you advised and here's the result.

Thanks again! :)

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-10 04:34:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text NTOSKRNL.EXE!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP AAE4F3C0 \??\C:\WINDOWS\system32\drivers\klif.sys
.text NTOSKRNL.EXE!IoIsOperationSynchronous 804E8752 5 Bytes JMP AAE4C400 \??\C:\WINDOWS\system32\drivers\klif.sys
.text NTOSKRNL.EXE!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP AAE4BF00 \??\C:\WINDOWS\system32\drivers\klif.sys
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD8413.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 4309FF9F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 4309FF20 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 4309FF64 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 4309FEAC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 4309FEE6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 4309FFDA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F315D2 C:\WINDOWS\system32\IEFRAME.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 867880E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 867880E8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_CREATE 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_CLOSE 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_READ 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_WRITE 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_DEVICE_CONTROL 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_INTERNAL_DEVICE_CONTROL 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_POWER 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_SYSTEM_CONTROL 85F264F8
Device \Driver\USBSTOR \Device\0000009e IRP_MJ_PNP 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_CREATE 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_CLOSE 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_READ 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_WRITE 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_DEVICE_CONTROL 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_INTERNAL_DEVICE_CONTROL 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_POWER 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_SYSTEM_CONTROL 85F264F8
Device \Driver\USBSTOR \Device\0000009f IRP_MJ_PNP 85F264F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FBFC65E1-61C6-41E7-A8D6-5DA3DCDD05BB} IRP_MJ_CREATE 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{FBFC65E1-61C6-41E7-A8D6-5DA3DCDD05BB} IRP_MJ_CLOSE 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{FBFC65E1-61C6-41E7-A8D6-5DA3DCDD05BB} IRP_MJ_DEVICE_CONTROL 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{FBFC65E1-61C6-41E7-A8D6-5DA3DCDD05BB} IRP_MJ_INTERNAL_DEVICE_CONTROL 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{FBFC65E1-61C6-41E7-A8D6-5DA3DCDD05BB} IRP_MJ_CLEANUP 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{FBFC65E1-61C6-41E7-A8D6-5DA3DCDD05BB} IRP_MJ_PNP 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9734B0-A3F6-4E12-B79E-C3B24F05D840} IRP_MJ_CREATE 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9734B0-A3F6-4E12-B79E-C3B24F05D840} IRP_MJ_CLOSE 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9734B0-A3F6-4E12-B79E-C3B24F05D840} IRP_MJ_DEVICE_CONTROL 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9734B0-A3F6-4E12-B79E-C3B24F05D840} IRP_MJ_INTERNAL_DEVICE_CONTROL 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9734B0-A3F6-4E12-B79E-C3B24F05D840} IRP_MJ_CLEANUP 8636A588
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9734B0-A3F6-4E12-B79E-C3B24F05D840} IRP_MJ_PNP 8636A588
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 867D3A40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86572EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86572EB0
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 867D3A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 09 June 2007 - 04:12 PM

Hi again,

Ok, no sign of any hidden activity, can you do Start > Search > All Files/Folders and enter C:\WINDOWS\system32\Manager.dll and hit OK.
Let me know if that file still exists.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 11 June 2007 - 07:22 PM

Hi Jedi,

I couldn't find the file. Does that mean i'm cured? But what about the warning from Kaspersky then?

Thanks!

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 June 2007 - 03:05 AM

Hi again,

Does that mean i'm cured?

Not necessarily, though I think maybe Kapersky is picking up orphaned registry entries rather than active malware.

Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
Select the following:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

Next:

Download RegSeeker from here:
http://www.snapfiles.../regseeker.html

Open RegSeeker.

Check the 'Backup before Deletion' box
Click on 'Clean the Registry'
Make sure all boxes except “Invalid Sevices (experimental)” are checked.
Click AutoClean and follow the prompts to allow it to run.
You will get a notification when AutoClean has run.
Exit RegSeeker.
Do not try to use any of the other functions on RegSeeker, it is a powerful program with the potential to damage your PC if used incorrectly

Next:

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 12 June 2007 - 08:43 PM

Hi,

Just got this from Kaspersky.

detected: Trojan program Backdoor.Win32.Hupigon.aqy File: C:\WINDOWS\SYSTEM32\SPUPDSVC.DLL

Will perform what you asked me to later tonight. Thanks again. :)

#21 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 June 2007 - 05:00 AM

Ok, I'll look out for your post. Not sure about the SPUPDSVC.DLL file, on the surface it appears to be part of The Package Installer (Formerly Called Update.exe) for Microsoft Windows Operating Systems and Windows Components.
http://www.microsoft...t/winupdte.mspx

Spupdsvc.exe
Windows service that runs after a reboot if the installation requires processes to be executed after a reboot.
All packages with [ProcessestoRun.AfterReboot] or [ProcessestoRunAfterUninstallReboot] sections in Update.inf

but let's see what the on-line scanner comes up with, it uses the same database as KAV.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#22 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 13 June 2007 - 09:35 PM

Hi,

Here's the scan results.


Thanks again!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-06-14 10:28
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 324602
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
M:\

Scan Statistics:
Total number of scanned objects: 80093
Number of viruses found: 2
Number of infected objects: 33 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:18:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04262007-161441.log Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbdam Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbdao Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbeam Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbeao Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbm Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\fii.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\fiih.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\hp Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\rpm.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Google\Google Desktop\9072ca984757\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C288AD5E-4148-4AD3-AFAD-EA9FD8C06A0F} Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\History\History.IE5\MSHist012007061420070615\index.dat Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Temp\~DF7F.tmp Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Temp\~DF9438.tmp Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Temp\~DFF37C.tmp Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Temp\~DFFF28.tmp Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\kangming.lan.2003\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79\A0013053.sys Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP82\A0014431.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014453.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014461.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014486.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014503.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014529.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP84\A0014639.dll Infected: Trojan.Win32.Agent.akv skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015164.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015202.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015217.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015227.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015238.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0015399.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0015401.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0016407.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0016425.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0016427.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP92\A0024076.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP92\A0025067.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP92\A0025069.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP93\A0025148.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP93\A0025150.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP95\A0025245.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP95\A0025247.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP96\A0025376.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP96\A0025378.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025440.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025443.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025460.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025462.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025522.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025524.dll Infected: Backdoor.Win32.Hupigon.aqy skipped
C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CABB857E-56F0-4716-8F6A-1ED21BDD37EA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8413.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Emule\Temp\001.part Object is locked skipped
D:\Emule\Temp\002.part Object is locked skipped
D:\Emule\Temp\003.part Object is locked skipped
D:\Emule\Temp\004.part Object is locked skipped
D:\Emule\Temp\005.part Object is locked skipped
D:\Emule\Temp\006.part Object is locked skipped
D:\Emule\Temp\007.part Object is locked skipped
D:\Emule\Temp\008.part Object is locked skipped
D:\Emule\Temp\009.part Object is locked skipped
D:\Emule\Temp\010.part Object is locked skipped
D:\Emule\Temp\011.part Object is locked skipped
D:\Emule\Temp\012.part Object is locked skipped
D:\Emule\Temp\013.part Object is locked skipped
D:\Emule\Temp\014.part Object is locked skipped
D:\Emule\Temp\015.part Object is locked skipped
D:\Emule\Temp\016.part Object is locked skipped
D:\Emule\Temp\018.part Object is locked skipped
D:\Emule\Temp\019.part Object is locked skipped
D:\Emule\Temp\020.part Object is locked skipped
D:\Emule\Temp\021.part Object is locked skipped
D:\Emule\Temp\022.part Object is locked skipped
D:\Emule\Temp\023.part Object is locked skipped
D:\Emule\Temp\024.part Object is locked skipped
D:\Emule\Temp\025.part Object is locked skipped
D:\Emule\Temp\026.part Object is locked skipped
D:\Emule\Temp\027.part Object is locked skipped
D:\Emule\Temp\028.part Object is locked skipped
D:\Emule\Temp\029.part Object is locked skipped
D:\Emule\Temp\030.part Object is locked skipped
D:\Emule\Temp\031.part Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\change.log Object is locked skipped

Scan process completed.

#23 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 14 June 2007 - 04:08 AM

Hi again,

Ok, the infection is not active, but it remains in system restore, which means if you used system restore to roll back to an earlier time you would reinstall the infection, so:

Do Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.
After reboot, go back in and turn System Restore back on.
Then do Start > run and type in msconfig and hit OK. In the box that opens, click 'Launch System Restore' > Select 'Create a Restore Point' and follow the prompts to create a new restore point.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#24 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 June 2007 - 06:02 AM

Hi Jedi,

Cleared my System Restore and created another restore point. However, Kaspersky still detects the virus.

Seems like this particular one is especially sticky.

Thanks again!

#25 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 June 2007 - 06:20 AM

Hi again,

Unzip this file to desktop:
[attachment=1685:attachment]
Double-click on delete.bat and post the report it produces here.
This file was made for swop's PC, if you are not swop, do not use it, it will not help and may damage your PC.

Next:

Run ComboFix again, I need to see the report, here's the download in case you've removed the tool:

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#26 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 June 2007 - 11:02 AM

Hi,

Here are the 2 reports that you required. I noticed that the deleter mentioned that the files that the deleter is supposed to delete cannot be found.

Meanwhile, Kaspersky continues to detect both Win32.Agent.akv and Backdoor.Win32.Hupigon.aqy.

I cannot thank you enough for your help thus far but still... thanks...

Delitor by wng_z3r0

Files to delete:
**************************
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP79\A0013053.sys "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP82\A0014431.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014453.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014461.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014486.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014503.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP83\A0014529.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP84\A0014639.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015164.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015202.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015217.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015227.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP89\A0015238.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0015399.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0015401.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0016407.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0016425.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP91\A0016427.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP92\A0024076.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP92\A0025067.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP92\A0025069.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP93\A0025148.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP93\A0025150.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP95\A0025245.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP95\A0025247.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP96\A0025376.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP96\A0025378.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025440.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025443.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025460.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025462.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025522.dll "
"C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP98\A0025524.dll "

END Files to delete:
**************************



Files remaining after deletion:
**************************

END of file:
**************************



"kangming.lan.2003" - 2007-06-16 23:44:05 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\kangming.lan.2003\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 ))))))))))))))))))))))))))))))))))


2007-06-14 21:15 <DIR> d-------- C:\WINDOWS\pss
2007-06-14 07:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-14 07:44 <DIR> d-------- C:\Program Files\CCleaner
2007-06-13 07:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-06-06 21:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-06 17:39 <DIR> d-------- C:\Program Files\iTunes
2007-06-06 17:39 <DIR> d-------- C:\Program Files\iPod
2007-06-04 14:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-06-04 01:56 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 10:44 <DIR> d-------- C:\DOCUME~1\KANGMI~1.200\APPLIC~1\dvdcss
2007-05-31 19:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-05-30 10:14 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-05-30 01:25 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-05-30 01:25 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-30 01:25 345,888 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-30 01:25 12,904,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-30 01:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-05-30 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-30 01:17 <DIR> d-------- C:\KAV
2007-05-29 23:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-22 21:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-16 15:34:37 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Skype
2007-06-16 15:21:43 -------- d-----w C:\Program Files\eMule
2007-06-06 10:26:10 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Google
2007-06-06 10:24:00 -------- d-----w C:\Program Files\Google
2007-06-05 23:47:44 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Hamachi
2007-05-30 02:42:22 -------- d-----w C:\Program Files\Windows Defender
2007-05-30 02:41:59 -------- d-----w C:\Program Files\SMU-VPN
2007-05-30 02:40:42 -------- d-----w C:\Program Files\palmOne
2007-05-30 02:37:06 -------- d-----w C:\Program Files\Launch Manager
2007-05-29 17:03:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 16:51:08 -------- d-----w C:\Program Files\Real Alternative
2007-05-29 16:50:27 -------- d-----w C:\Program Files\PowerISO
2007-05-17 07:55:07 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:28:41 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\U3
2007-05-15 04:05:23 -------- d-----w C:\Program Files\Common Files\Datawatch Shared
2007-05-15 04:05:20 -------- d-----w C:\Program Files\Monarch
2007-05-12 14:30:29 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Creative
2007-05-12 14:22:29 -------- d-----w C:\Program Files\Creative
2007-05-12 13:17:54 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Screenshot Sender
2007-05-09 11:57:19 5,632 ----a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2007-05-09 11:21:17 -------- d-----w C:\Program Files\Samsung
2007-05-06 15:36:17 -------- d-----w C:\Program Files\Gabest
2007-05-06 04:23:54 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-05-05 14:42:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-05-05 04:10:28 -------- d-----w C:\Program Files\TTPlayer
2007-05-04 16:36:02 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-02 13:09:00 -------- d-----w C:\Program Files\QuickTime
2007-05-02 12:55:54 -------- d-----w C:\Program Files\Apple Software Update
2007-04-30 01:53:38 -------- d-----w C:\Program Files\Joost
2007-04-30 01:53:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Joost
2007-04-30 00:31:20 -------- d-----w C:\Program Files\BinarySense
2007-04-29 14:26:39 -------- d-----w C:\Program Files\PowerPlugs
2007-04-28 08:09:06 -------- d--h--r C:\DOCUME~1\KANGMI~1.200\APPLIC~1\SecuROM
2007-04-28 03:52:59 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-04-27 02:50:40 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Real
2007-04-27 02:43:19 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Ahead
2007-04-27 02:30:21 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-27 02:27:58 -------- d-----w C:\Program Files\Nero
2007-04-27 01:38:17 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Media Player Classic
2007-04-26 20:14:58 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-04-26 19:47:08 22,832 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-26 19:16:00 -------- d-----w C:\Program Files\acer
2007-04-26 19:12:56 -------- d-----w C:\Program Files\WIDCOMM
2007-04-26 19:10:20 17,119 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-26 19:08:08 -------- d-----w C:\Program Files\WinPCap
2007-04-26 19:06:04 -------- d-----w C:\Program Files\ATI Technologies
2007-04-26 17:38:15 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-26 16:01:46 -------- d-----w C:\Program Files\Picasa2
2007-04-26 15:54:02 -------- d-----w C:\Program Files\SlySoft
2007-04-26 15:35:23 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-26 15:35:20 -------- d-----w C:\Program Files\Alcohol Soft
2007-04-26 12:36:46 -------- d-----w C:\Program Files\Skype
2007-04-26 12:36:45 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-26 12:24:43 -------- d-----w C:\Program Files\Media Player Classic
2007-04-26 12:23:09 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\vlc
2007-04-26 11:52:49 -------- d-----w C:\Program Files\Hamachi
2007-04-26 11:52:14 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-26 11:47:21 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\WinRAR
2007-04-26 11:36:24 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Apple Computer
2007-04-26 11:30:40 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\Leadertech
2007-04-26 11:23:53 -------- d-----w C:\DOCUME~1\KANGMI~1.200\APPLIC~1\HotSync
2007-04-26 11:23:48 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-04-26 11:23:47 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-04-26 11:17:57 -------- d-----w C:\Program Files\VideoLAN
2007-04-26 11:09:49 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8413.sys
2007-04-26 11:09:49 643,072 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-26 10:03:29 -------- d-----w C:\Program Files\Microsoft Works
2007-04-26 10:00:13 -------- d-----w C:\Program Files\Messenger
2007-04-26 09:56:06 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-26 08:05:47 -------- d-----w C:\Program Files\BitComet
2007-04-26 04:54:26 -------- d-----w C:\Program Files\Common Files\Deterministic Networks
2007-04-26 04:43:44 -------- d-----w C:\Program Files\Common Files\L&H
2007-04-26 04:43:29 -------- d-----w C:\Program Files\Microsoft.NET
2007-04-26 04:43:01 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-26 04:37:16 -------- d-----w C:\Program Files\CA
2007-04-26 02:57:14 471 ----a-w C:\WINDOWS\CLEANUP.CMD
2007-04-26 02:56:58 797 ----a-w C:\WINDOWS\HotFix.bat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-08 09:15:08 131,584 ----a-w C:\WINDOWS\system32\gc.dll
2007-04-01 12:34:21 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll [2007-04-29 17:29]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-04-26 13:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-08 21:05]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-03-28 18:04]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-24 09:13]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 12:00 C:\WINDOWS\system32\bthprops.cpl]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2005-09-05 11:43]
"eRecoveryService"="C:\Program Files\Acer\eRecovery\Monitor.exe" [2005-06-29 17:26]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-26 13:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11]
"@"="" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-26 13:28]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"PCMService"="C:\Program Files\Arcade\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-13 09:04:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-16 01:39:53 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-16 15:49:15 C:\WINDOWS\tasks\User_Feed_Synchronization-{4217A364-9520-48AB-A3CC-B8E9740D0C55}.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 23:49:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-16 23:51:39
C:\ComboFix-quarantined-files.txt ... 2007-06-16 23:51
C:\ComboFix2.txt ... 2007-06-08 23:16
C:\ComboFix3.txt ... 2007-06-04 01:58

--- E O F ---

#27 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 17 June 2007 - 03:57 AM

Hi again,

the files that the deleter is supposed to delete cannot be found.

No, it worked fine, it does a pre-run and post-run check, in the post-run the files were gone, i.e. it deleted them all on the first run.

Ok, search for and delete this file:

C:\WINDOWS\iun6002.exe

There's nothing else which could account for the continuing alearts from KAV, I'm very much inclined to think the alerts are only from other orphaned registry entries, but let's have another look around:

Download http://www.geekstogo...a...nload&id=19 Deckard's System Scanner (formerly Comboscan)to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
  • A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  • Please also post this.
Note, the sequence of the reports may be slightly different than I describe, as this is a new version.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#28 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 June 2007 - 10:41 AM

Hi,

I've deleted the iun6002.exe file and ran the program. Log file as below. Just want to add that it seems like Kaspersky has been exceptionally "busy" and consumed all my processing power for quite a while. My trial version is coming to an end and I'm torn if I should continue with it, given that it had given me a fair share of problems while protecting against viruses. Hope that I could get some advise on which virus protection I should get.

Thanks again.

Deckard's System Scanner v20070611.50
Run by kangming.lan.2003 on 2007-06-18 at 23:34:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2007-06-18 15:34:50 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2007-06-18 04:24:37 UTC - RP5 - System Checkpoint
4: 2007-06-17 01:35:45 UTC - RP4 - System Checkpoint
3: 2007-06-15 11:02:37 UTC - RP3 - Software Distribution Service 2.0
2: 2007-06-14 13:22:22 UTC - RP2 - After virus


-- First Restore Point --
1: 2007-06-14 13:21:32 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-06-18 23:36:01
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16473)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Acer\ePM\EPM-DM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\kangming.lan.2003\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.micr.../OGAControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177574774078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177574766890
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_01) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - "C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe"
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - "C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe"
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - "C:\Program Files\SMU-VPN\cvpnd.exe"
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
O23 - Service: GoogleDesktopManager - Google - "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - "C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe"
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 MountMsg (MountMs) - c:\windows\system32\drivers\mountmsg.sys
R0 PartMsg - c:\windows\system32\drivers\partmsg.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R1 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2304>
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2304>
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; OSA Technologies, An Avocent Company; Windows ® 2000 DDK driver>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows ® 2000 DDK provider; OSA int15 Driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys

S3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek Keyboard Filter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>
R2 CA_LIC_CLNT (CA License Client) - "c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe" <Not Verified; Computer Associates International Inc.; Lic98>
R2 LogWatch (Event Log Watch) - "c:\program files\ca\sharedcomponents\ca_lic\logwatnt.exe" <Not Verified; Computer Associates; Computer Associates LogWatNT>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 CA_LIC_SRVR (CA License Server) - "c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe" <Not Verified; Computer Associates International Inc.; Lic98>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-06-18 21:02:16 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-06-18 03:13:39 446 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{4217A364-9520-48AB-A3CC-B8E9740D0C55}.job
2007-06-13 17:04:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-05-18 and 2007-06-18 -----------------------------

2007-06-17 23:02:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-06-14 21:15:43 0 d-------- C:\WINDOWS\pss
2007-06-14 07:59:19 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-14 07:44:08 0 d-------- C:\Program Files\CCleaner
2007-06-13 07:48:14 0 d--h----- C:\WINDOWS\$hf_mig$
2007-06-06 21:04:28 0 d-------- C:\WINDOWS\BDOSCAN8
2007-06-06 17:39:30 0 d-------- C:\Program Files\iPod
2007-06-06 17:39:09 0 d-------- C:\Program Files\iTunes
2007-06-04 14:16:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-06-04 14:06:03 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-06-01 10:44:28 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\dvdcss
2007-05-31 19:00:14 0 d-------- C:\Program Files\MSN Messenger
2007-05-30 10:14:32 0 d-------- C:\WINDOWS\system32\Panda Software
2007-05-30 01:25:40 82258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-05-30 01:25:40 82258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-30 01:25:16 0 d-------- C:\Program Files\Kaspersky Lab
2007-05-30 01:25:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-05-30 01:25:09 390944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-30 01:25:09 14219552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-30 01:17:35 0 d-------- C:\KAV
2007-05-29 23:56:11 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-22 21:22:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2007-06-18 21:02:48 0 d-------- C:\Program Files\eMule
2007-06-18 18:24:57 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Skype
2007-06-06 18:26:10 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Google
2007-06-06 18:24:00 0 d-------- C:\Program Files\Google
2007-06-06 07:47:44 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Hamachi
2007-05-30 10:42:22 0 d-------- C:\Program Files\Windows Defender
2007-05-30 10:41:59 0 d-------- C:\Program Files\SMU-VPN
2007-05-30 10:40:42 0 d-------- C:\Program Files\palmOne
2007-05-30 10:37:06 0 d-------- C:\Program Files\Launch Manager
2007-05-30 01:03:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-30 00:51:08 0 d-------- C:\Program Files\Real Alternative
2007-05-30 00:50:27 0 d-------- C:\Program Files\PowerISO
2007-05-17 15:55:07 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll <Not Verified; BitComet; BitComet BCTP Helper>
2007-05-16 18:04:11 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Adobe
2007-05-16 17:28:41 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\U3
2007-05-15 12:05:23 0 d-------- C:\Program Files\Common Files\Datawatch Shared
2007-05-15 12:05:20 0 d-------- C:\Program Files\Monarch
2007-05-12 22:30:29 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Creative
2007-05-12 22:22:29 0 d-------- C:\Program Files\Creative
2007-05-12 21:17:54 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Screenshot Sender
2007-05-09 19:21:17 0 d-------- C:\Program Files\Samsung
2007-05-06 23:36:17 0 d-------- C:\Program Files\Gabest
2007-05-05 22:42:21 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Command & Conquer 3 Tiberium Wars
2007-05-05 12:10:28 0 d-------- C:\Program Files\TTPlayer
2007-05-02 21:09:00 0 d-------- C:\Program Files\QuickTime
2007-05-02 20:55:54 0 d-------- C:\Program Files\Apple Software Update
2007-04-30 09:53:38 0 d-------- C:\Program Files\Joost
2007-04-30 09:53:21 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Mozilla
2007-04-30 09:53:21 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Joost
2007-04-30 08:31:20 0 d-------- C:\Program Files\BinarySense
2007-04-29 22:26:39 0 d-------- C:\Program Files\PowerPlugs
2007-04-28 16:09:06 0 dr-h----- C:\Documents and Settings\kangming.lan.2003\Application Data\SecuROM
2007-04-28 11:53:21 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-28 11:52:59 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-28 00:46:03 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Sun
2007-04-28 00:45:30 0 d-------- C:\Program Files\Java
2007-04-28 00:39:44 0 d-------- C:\Program Files\Common Files\Java
2007-04-27 10:50:40 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Real
2007-04-27 10:43:19 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Ahead
2007-04-27 10:30:21 0 d-------- C:\Program Files\Common Files\Ahead
2007-04-27 10:27:58 0 d-------- C:\Program Files\Nero
2007-04-27 09:38:17 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Media Player Classic
2007-04-27 04:14:58 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-04-27 03:47:08 22832 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-04-27 03:40:54 62 --ahs---- C:\Documents and Settings\kangming.lan.2003\Application Data\desktop.ini
2007-04-27 03:16:00 0 d-------- C:\Program Files\acer
2007-04-27 03:12:56 0 d-------- C:\Program Files\WIDCOMM
2007-04-27 03:08:08 0 d-------- C:\Program Files\WinPCap
2007-04-27 03:06:04 0 d-------- C:\Program Files\ATI Technologies
2007-04-27 01:38:15 0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-27 00:01:46 0 d-------- C:\Program Files\Picasa2
2007-04-26 23:54:02 0 d-------- C:\Program Files\SlySoft
2007-04-26 23:35:20 0 d-------- C:\Program Files\Alcohol Soft
2007-04-26 20:36:46 0 d-------- C:\Program Files\Skype
2007-04-26 20:36:45 0 d-------- C:\Program Files\Common Files\Skype
2007-04-26 20:24:43 0 d-------- C:\Program Files\Media Player Classic
2007-04-26 20:23:09 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\vlc
2007-04-26 19:52:49 0 d-------- C:\Program Files\Hamachi
2007-04-26 19:47:21 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\WinRAR
2007-04-26 19:36:24 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Apple Computer
2007-04-26 19:30:40 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Leadertech
2007-04-26 19:23:53 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\HotSync
2007-04-26 19:17:57 0 d-------- C:\Program Files\VideoLAN
2007-04-26 18:03:29 0 d-------- C:\Program Files\Microsoft Works
2007-04-26 18:00:13 0 d-------- C:\Program Files\Messenger
2007-04-26 17:56:06 0 d-------- C:\Program Files\MSXML 4.0
2007-04-26 16:05:47 0 d-------- C:\Program Files\BitComet
2007-04-26 13:08:42 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Macromedia
2007-04-26 12:54:56 8 --a------ C:\WINDOWS\system32\success
2007-04-26 12:54:26 0 d-------- C:\Program Files\Common Files\Deterministic Networks
2007-04-26 12:43:44 0 d-------- C:\Program Files\Common Files\L&H
2007-04-26 12:43:29 0 d-------- C:\Program Files\Microsoft.NET
2007-04-26 12:43:01 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-04-26 12:37:16 0 d-------- C:\Program Files\CA
2007-04-26 12:19:02 0 d-------- C:\Documents and Settings\kangming.lan.2003\Application Data\Identities
2007-04-26 10:57:14 471 --a------ C:\WINDOWS\CLEANUP.CMD
2007-04-26 10:56:58 797 --a------ C:\WINDOWS\HotFix.bat
2007-04-08 17:15:08 131584 --a------ C:\WINDOWS\system32\gc.dll
2007-04-01 20:34:21 86016 --a------ C:\WINDOWS\system32\ElbyCDIO.dll <Not Verified; Elaborate Bytes AG; Elaborate Bytes CDRTools>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="Alaunch"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"EPM-DM"="c:\\acer\\epm\\epm-dm.exe"
"ePowerManagement"="C:\\Acer\\ePM\\ePM.exe boot"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LManager"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"eRecoveryService"="C:\\Program Files\\Acer\\eRecovery\\Monitor.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"AVFX Engine"="C:\\Program Files\\Creative\\Creative Live! Cam\\VideoFX\\StartFX.exe"
@=""
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-06-18 at 23:36:40 ---------

Deckard's System Scanner v20070611.50
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 2.00GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 1022.05 MiB / 601.33 MiB
Pagefile Memory (total/avail): 2460.05 MiB / 2135.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1960.84 MiB

C: is Fixed (NTFS) - 35.71 GiB total, 17.74 GiB free.
D: is Fixed (NTFS) - 35.88 GiB total, 16.52 GiB free.
E: is CDROM (No Media)
F: is Removable (FAT)
M: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: Kaspersky Anti-Virus v6.0.2.621 () Disabled

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\kangming.lan.2003\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KANGMING-ACER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\kangming.lan.2003
LOGONSERVER=\\DC22
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\DeskAdTop;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\KANGMI~1.200\LOCALS~1\Temp
TMP=C:\DOCUME~1\KANGMI~1.200\LOCALS~1\Temp
USERDNSDOMAIN=STUDENT.SMU.EDU.SG
USERDOMAIN=SMUSTU
USERNAME=kangming.lan.2003
USERPROFILE=C:\Documents and Settings\kangming.lan.2003
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

kangming (admin)
Administrator (admin)
kangming.lan.2003 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
???? 4.6.9(?????) --> "C:\Program Files\TTPlayer\uninst.exe"
Ó¢ººººÓ¢ MBAרҵ´Êµä --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44537F3D-5EF9-402F-8A10-76E03306CFF7}\SETUP.EXE" -uninst
Acer eManager for Notebook --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer eNetManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\Setup.exe" -l0x9
Acer ePowerManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Acer GridVista --> C:\WINDOWS\UnInst32.exe GridV.UNI
Adobe Acrobat 8.1.0 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Advanced Video FX Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 /remove
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Arcade 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.EXE" -uninstall
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitComet 0.87 --> C:\Program Files\BitComet\uninst.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chinese (Traditional) Language Support --> RunDll32 syssetup.dll,SetupInfObjectInstallAction Uninstall.NT 4 zhtw.inf
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
CloneDVD2 --> "C:\Program Files\SlySoft\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\SlySoft\CloneDVD2"
CloneDVDmobile --> "C:\Program Files\SlySoft\CloneDVDmobile\CloneDVDmobile-uninst.exe" /D="C:\Program Files\SlySoft\CloneDVDmobile"
Command & Conquer 3 --> MsiExec.exe /I{B0C30E93-D3D9-4F04-A2AC-54749B573275}
Conexant AC-Link Audio --> CIAunwdm.exe
Creative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /remove
Creative WebCam Notebook Driver (1.04.01.0322) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script Pd1171.uns -unsext NT -plugin P1171Pin.dll -pluginres P1171Pin.crl
eMule VeryCD°æ --> C:\Program Files\eMule\uninstall.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hamachi 1.0.2.1 --> C:\Program Files\Hamachi\uninstall.exe
HDDlife plug-in for Google Desktop 1.1 --> C:\Program Files\BinarySense\HDDlife plug-in for Google Desktop\uninst.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
iTunes --> MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Joost ™ 0.9.2 --> C:\Program Files\Joost\uninst.exe
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Speech API 4.0 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\spchapi.inf, Uninstall
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Monarch 8.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2480B3DF-5914-4DAA-8510-DCAB3F43C0C2}\Setup.exe" -l0x9
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
Nero 7 Ultra Edition --> MsiExec.exe /I{43FFE159-3199-4188-A1CD-629166AD1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
palmOne --> MsiExec.exe /X{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Panda NanoScan --> C:\WINDOWS\system32\Panda Software\NanoScan\nanounst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PowerPlugs: Excel Solutions for Entrepreneurs - Business Forecaster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2E537A0-5295-11D4-9A1F-00105AA3D866}\Setup.exe"
PowerPlugs: Excel Solutions for Entrepreneurs - Office Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5042DA3-F6A0-4D37-A356-515AB4AC027D}\Setup.exe"
PowerPlugs: Excel Solutions for Entrepreneurs - Sales Planner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93CF851-5402-11D4-9A1F-00105AA3D866}\Setup.exe"
PowerPlugs: Excel Solutions for Entrepreneurs - Smart Buyer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B457CD60-6945-11D4-9A1F-00105AA3D866}\Setup.exe"
PowerPlugs: Problem Solver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{37D59720-5290-11D4-9A1F-00105AA3D866}\Setup.exe"
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.EXE" -uninstall
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Real Alternative 1.52 --> "C:\Program Files\Real Alternative\unins000.exe"
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile USB Modem ^^ --> C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Skype 3.1 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_00661025\HXFSETUP.EXE -U -Iqta00665.inf
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8E50332B-772C-4AEA-BF56-94DE6A1D5F10} /l1033
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
WIDCOMM Bluetooth Software --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows XP Creativity Fun Packs - Windows Movie Maker 2 --> MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- End of Deckard's System Scanner: finished at 2007-06-18 at 23:36:40 ---------

#29 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 June 2007 - 12:26 PM

Hi again,

There are two files here I can't get any info on, so please go here:
http://www.virustota.../en/indexf.html
and upload and scan this file:
c:\windows\system32\drivers\mountmsg.sys
and post the scan results.
Then repeat for this file:
c:\windows\system32\drivers\partmsg.sys
and post the scan results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#30 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 22 June 2007 - 08:53 AM

Complete scanning result of "mountmsg.sys", received in VirusTotal at 06.22.2007, 15:19:45 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.22.2007 no virus found
AntiVir 7.4.0.34 06.22.2007 no virus found
Authentium 4.93.8 06.22.2007 no virus found
Avast 4.7.997.0 06.22.2007 no virus found
AVG 7.5.0.476 06.22.2007 no virus found
BitDefender 7.2 06.22.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.22.2007 no virus found
DrWeb 4.33 06.22.2007 no virus found
eSafe 7.0.15.0 06.21.2007 no virus found
eTrust-Vet 30.8.3735 06.22.2007 no virus found
Ewido 4.0 06.22.2007 no virus found
FileAdvisor 1 06.22.2007 no virus found
Fortinet 2.91.0.0 06.22.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.22.2007 no virus found
Ikarus T3.1.1.8 06.22.2007 no virus found
Kaspersky 4.0.2.24 06.22.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2701 06.22.2007 no virus found
NOD32v2 2344 06.22.2007 no virus found
Norman 5.80.02 06.22.2007 no virus found
Panda 9.0.0.4 06.22.2007 no virus found
Prevx1 V2 06.22.2007 no virus found
Sophos 4.19.0 06.22.2007 no virus found
Sunbelt 2.2.907.0 06.21.2007 no virus found
Symantec 10 06.22.2007 no virus found
TheHacker 6.1.6.137 06.22.2007 no virus found
VBA32 3.12.0.2 06.21.2007 no virus found
VirusBuster 4.3.23:9 06.22.2007 no virus found
Webwasher-Gateway 6.0.1 06.22.2007 no virus found


Aditional Information
File size: 14592 bytes
MD5: 640b373f514c1a134909392e72abfd6a
SHA1: f7b960c6879051eb3433232f8a31d9daa711fd15

#31 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 22 June 2007 - 09:16 AM

Hi,

here's the 2 scan.

Kaspersky detects viruses again and this is just one of it. Hope that it'll be helpful in your diagnosis. Thanks again! :)

C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP7\A0001507.dll

Complete scanning result of "partmsg.sys", received in VirusTotal at 06.22.2007, 15:54:30 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.22.2007 no virus found
AntiVir 7.4.0.34 06.22.2007 no virus found
Authentium 4.93.8 06.22.2007 no virus found
Avast 4.7.997.0 06.22.2007 no virus found
AVG 7.5.0.476 06.22.2007 no virus found
BitDefender 7.2 06.22.2007 no virus found
CAT-QuickHeal 9.00 06.22.2007 no virus found
ClamAV devel-20070416 06.22.2007 no virus found
DrWeb 4.33 06.22.2007 no virus found
eSafe 7.0.15.0 06.21.2007 no virus found
eTrust-Vet 30.8.3735 06.22.2007 no virus found
Ewido 4.0 06.22.2007 no virus found
FileAdvisor 1 06.22.2007 no virus found
Fortinet 2.91.0.0 06.22.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.22.2007 no virus found
Ikarus T3.1.1.8 06.22.2007 no virus found
Kaspersky 4.0.2.24 06.22.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2701 06.22.2007 no virus found
NOD32v2 2344 06.22.2007 no virus found
Norman 5.80.02 06.22.2007 no virus found
Panda 9.0.0.4 06.22.2007 no virus found
Sophos 4.19.0 06.22.2007 no virus found
Sunbelt 2.2.907.0 06.21.2007 no virus found
Symantec 10 06.22.2007 no virus found
TheHacker 6.1.6.137 06.22.2007 no virus found
VBA32 3.12.0.2 06.21.2007 no virus found
VirusBuster 4.3.23:9 06.22.2007 no virus found
Webwasher-Gateway 6.0.1 06.22.2007 no virus found


Aditional Information
File size: 91776 bytes
MD5: d612d5d639ce1ffb6e04c8fdd0ec635b
SHA1: a152cbc393635e4fb35bc8bce900ed48a4e2d467

#32 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 23 June 2007 - 01:35 PM

Hi again,

Once again, as I said before, these entries are not active Malware, they are past data stored in system restore, therefore not harmful unless you restore to that point.

Do Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.
After reboot, go back in and turn System Restore back on.

Run Kapersky again and give me a complete list of what it's detecting.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#33 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 25 June 2007 - 09:11 AM

Hi again,

99% - Scan
----------
Scanned: 262439
Detected: 2
Untreated: 2
Start time: 2007-06-25 21:01
Duration: 01:03:50
Finish time: 2007-06-25 22:04


Detected
--------
Status Object
------ ------
detected: Trojan program Backdoor.Win32.Hupigon.aqy File: C:\WINDOWS\system32\Manager.dll
detected: Trojan program Backdoor.Win32.Hupigon.aqy File: C:\WINDOWS\SYSTEM32\SPUPDSVC.DLL


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
All objects 258837 2 2 0 0 8631 231 60 2
My Documents 2518 0 0 0 0 19 0 0 0
Mail databases 3051 0 0 0 0 1087 0 0 0
ACER (C:) 253197 2 2 0 0 7516 229 60 2
ACERDATA (D:) 71 0 0 0 0 9 2 0 0


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes

This is the summarised version. There're a lot of files and if I'm going to post here it's going to be long. But these 2 viruses kept coming back despite Kaspersky's attempt to delete them with a reboot.

Thanks again.

#34 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 25 June 2007 - 01:02 PM

Hi again,

Good, that's useful.

Download Avenger from here:
http://swandog46.geekstogo.com/

Open the program. Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, paste this:

Files to delete:
C:\WINDOWS\system32\Manager.dll
C:\WINDOWS\SYSTEM32\SPUPDSVC.DLL




and click 'Done'

Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC.

Post the Avenger output log, which you can find at C:\Avenger\.txt

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#35 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 26 June 2007 - 11:11 AM

Hi,

Here's the results.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\enphugwl

*******************

Script file located at: \??\C:\fjimjqvc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


File C:\WINDOWS\system32\Manager.dll not found!
Deletion of file C:\WINDOWS\system32\Manager.dll failed!

Could not process line:
C:\WINDOWS\system32\Manager.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\SPUPDSVC.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\SPUPDSVC.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SPUPDSVC.DLL
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

I know this might sound impossible but Kaspersky can detect and delete them but it keeps coming back. By that I do not mean that it will resurface every time I reboot. Instead, it seems to reappear rather randomly and without cause (no usb drive was plugged in, no program running except startup programs, since Kaspersky detects them right in the beginning of the system startup and prompts for action to delete).

Really thank you for taking great effort to help me out here. Thanks. :)

#36 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 26 June 2007 - 01:27 PM

Hi again,

Ok, do Start > Search > All Files/Folders, and enter Manager.dll and hit OK.
Post the results, if any, here. (Full filepath please.)

Next:

Do Start > Search > All Files/Folders, and enter SPUPDSVC.DLL and hit OK.
Post the results, if any, here. (Full filepath please.)

Next:

Download Bill James' reg search tool from here:
http://www.billsway.com/vbspage/
Open the tool, and in the search box enter:

SPUPDSVC.DLL

and click OK. Post the output, if any, in this thread.


Next:

Download Bill James' reg search tool from here:
http://www.billsway.com/vbspage/
Open the tool, and in the search box enter:

Manager.dll

and click OK. Post the output, if any, in this thread.


Also:

Please download AVG Antirootkit Beta from here: http://www.majorgeek...tkit_d5249.html
  • Install it, and follow the prompts to restart your computer.
  • Run the program and select Perform in-depth search.
  • When it has finished, click Save result to file
  • Post the contents of the results in your reply.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#37 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 28 June 2007 - 10:31 AM

Hi,

Did a serach for the 2 files but no results.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "SPUPDSVC.DLL" 2007-06-28 23:25:35

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-818368676-931757178-618671499-10758\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="spupdsvc.dll"


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "manager.dll" 2007-06-28 23:26:57

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A02BC89-803A-45fa-8BE6-AF83A4EC8E45}\InprocServer32]
@="C:\\Program Files\\Common Files\\Ahead\\Lib\\ShellManager.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74DF9A49-8EA7-41BA-98CD-F7C736486079}\InprocServer32]
@="C:\\Program Files\\Common Files\\Ahead\\DSFilter\\NeDiscManager.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80F91574-E7A3-4451-8F7A-934C91C067EF}\InprocServer32]
@="C:\\Program Files\\Common Files\\Ahead\\Lib\\ShellManager.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4F124794-E6EC-4FD8-85FA-D88F2DA8BC11}\1.0\0\win32]
@="C:\\Program Files\\Common Files\\Ahead\\Lib\\ShellManager.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\593CEC0CED66732C83D1C4FC722E8C77]
"951EFF34991388141ADC261966DA0133"="C?\\Program Files\\Common Files\\Ahead\\DSFilter\\NeDiscManager.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\929C927C8F4E3FC00214EBE1C8BB554C]
"951EFF34991388141ADC261966DA0133"="C?\\Program Files\\Common Files\\Ahead\\Lib\\ShellManager.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Ahead\\DSFilter\\NeDiscManager.dll"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Ahead\\Lib\\ShellManager.dll"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\Manager.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\dbmanager.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\dbmanager.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\dbmanager.dll]

[HKEY_USERS\S-1-5-21-818368676-931757178-618671499-10758\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="manager.dll"

#38 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 28 June 2007 - 01:15 PM

Hi,

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-



Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

That is the only instant of either of those files that appears to exist, so let me know if this fixes the issue.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#39 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 29 June 2007 - 12:39 AM

Hi,

I've done the checks as you mentioned before and no root-kit spyware showed up. I had also used the fix.reg on my registry, and cleared all system restore point and reboot the computer. However, the virus seems to continue to reside at least in the system restore.

C:\System Volume Information\_restore{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP3\A0000132.sys

Thanks!

#40 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 June 2007 - 03:39 AM

Hi again,

the virus seems to continue to reside at least in the system restore.

Well, it can't do any harm there, system restore is a memory of how your PC was at a previous time, and anything in there is not a threat unless you restore to that point, which, as you have cleared your restore points, is no longer an option. But let's just check that file doesn't exist in real time:

Do Start > Search > All Files/Folders and search for A0000132.sys, post the results here, if any.

Also, run the FSecure online scanner here:
http://support.f-sec.../home/ols.shtml
Accept the ActiveX control (Use IE) and post any results here.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#41 swop

swop

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 02 July 2007 - 09:21 AM

Hi,

I did a little experiment. I did not turn back on my system restore after turning it off earlier, and till now Kaspersky has not detected any viruses either in the System Restore files or in the win32 directory. I suspect that my System Restore function has been permanantly infected/changed to always include backing up the virus in the System Restore.

As for the A0000132.sys file, it doesn't exist in real time and i'm still scanning using F-secure.

Thanks again!

#42 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 02 July 2007 - 12:32 PM

Hi again,

Ok, let me know the results from FSecure when you have them.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#43 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 22 July 2007 - 08:59 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button