Jump to content


Photo

some help


  • This topic is locked This topic is locked
26 replies to this topic

#1 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 07 May 2008 - 04:17 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:53:00 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Permeo\e-Border Driver\s5credmgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\o2flash.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\PPStream\PPStream.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=System
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [e-Border Credential] C:\Program Files\Permeo\e-Border Driver\s5credmgr.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\permeo\e-border driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\e-border driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\e-border driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\e-border driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\e-border driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\e-border driver\s5spi.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1204813357031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204817321546
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe



my Hijackthis log..

this is the log before i got this problem

my window hangs at loading screen, i can only logon to safe mode now.
And i think there's some problem with browser or sth... which i couldn't login to some forum

so please help me and tell me if there's other problem

thanks in advance

Edited by DaRkSkY, 07 May 2008 - 04:30 AM.


#2 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 07 May 2008 - 08:42 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:27 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\V-Gear BEE\VBService.exe
C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\3B Software\Registry Repair Pro\RegistryRepairPro.exe
C:\PROGRA~1\3BSOFT~1\Common\Registry\wcomrt.exe
D:\HiJackThis.exe

F3 - REG:win.ini: load=System
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BEE Service.lnk = C:\Program Files\V-Gear BEE\VBService.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Startup: 珊瑚虫.lnk = C:\Program Files\Tencent\QQ\CoralQQ.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 6164 bytes


this is new log..
as i has urgent usage of the computer.
therefore i refreshed the system

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 09 May 2008 - 04:18 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 14 May 2008 - 04:43 PM

Hi DaRkSkY, and Welcome to SWI.

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

Download Dr.Web CureIt to the Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Then please post a fresh HijackThis log!..
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 18 May 2008 - 01:43 AM

Thanks for the reply,

it seems that, there are lots of infected files.

Here's the log from DrWeb

A0022147.exe;C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51;Win32.HLLW.Autoruner.1798;Deleted.;
A0022148.exe;C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51;Win32.HLLW.Autoruner.1798;Deleted.;
WarcraftAutorefresh.exe;D:\Games\Warcraft III;Trojan.PWS.Banker.12189;Deleted.;
A0056365.rbf;D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP125;Probably BACKDOOR.Trojan;;
A0059869.EXE;D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP134;Win32.HLLW.Autoruner.1798;Deleted.;
A0059941.EXE;D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP135;Win32.HLLW.Autoruner.1798;Deleted.;
A0060020.EXE;D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP135;Win32.HLLW.Autoruner.1798;Deleted.;
A0060118.EXE;D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP136;Win32.HLLW.Autoruner.1798;Deleted.;
A0060141.EXE;D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP136;Win32.HLLW.Autoruner.1798;Deleted.;
A0017971.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP41;Win32.HLLW.Autoruner.1798;Deleted.;
A0018134.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43;Win32.HLLW.Autoruner.1798;Deleted.;
A0018178.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43;Win32.HLLW.Autoruner.1798;Deleted.;
A0018241.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43;Win32.HLLW.Autoruner.1798;Deleted.;
A0019240.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43;Win32.HLLW.Autoruner.1798;Deleted.;
A0019269.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43;Win32.HLLW.Autoruner.1798;Deleted.;
A0020310.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49;Win32.HLLW.Autoruner.1798;Deleted.;
A0020348.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49;Win32.HLLW.Autoruner.1798;Deleted.;
A0020796.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49;Win32.HLLW.Autoruner.1798;Deleted.;
A0021107.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51;Win32.HLLW.Autoruner.1798;Deleted.;
A0021170.EXE;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51;Win32.HLLW.Autoruner.1798;Deleted.;
A0022499.exe;D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP53;Trojan.PWS.Banker.12189;Deleted.;
A0000446.EXE;D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP12;Win32.HLLW.Autoruner.1798;Deleted.;
A0000468.EXE;D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP12;Win32.HLLW.Autoruner.1798;Deleted.;
A0000572.EXE;D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP17;Win32.HLLW.Autoruner.1798;Deleted.;
A0000623.EXE;D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP17;Win32.HLLW.Autoruner.1798;Deleted.;
A0001281.EXE;D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP57;Win32.HLLW.Autoruner.1798;Deleted.;
A0019869.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0019956.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020033.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020049.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020065.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020076.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020089.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020099.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64;Win32.HLLW.Autoruner.1798;Deleted.;
A0020352.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020381.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020399.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020410.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020421.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020441.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020719.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020737.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0020744.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0021756.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;
A0021780.EXE;D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65;Win32.HLLW.Autoruner.1798;Deleted.;

#6 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 18 May 2008 - 01:43 AM

Here's the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:23 PM, on 5/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\snpstd3\tsnpstd3.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
D:\HiJackThis.exe
C:\Program Files\Tencent\QQ\qqpet\QQPenguin\QQPenguin.exe

F3 - REG:win.ini: load=System
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\Program Files\Common Files\snpstd3\tsnpstd3.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Startup: 珊瑚虫.lnk = C:\Program Files\Tencent\QQ\CoralQQ.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210256026687
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 7952 bytes

#7 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 18 May 2008 - 03:52 AM

Hi again DaRkSkY and thank you for the logs!!..:).

DrWeb CureIt found only infected files in System Restore points...

Anyway, there are still signs of infection... I would like you to not plug any pendrives into this computer until the system is clean and protected with antivirus software...

Please run a scan in HijackThis and check the following items:

F3 - REG:win.ini: load=System
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Then, close all open windows, except HijackThis and click: Fix checked.


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Do you recognize the program: PPS Accelerator ??.
Located in: C:\Program Files\PPStream

Post the ComboFix log and a fresh HijackThis log and we will finish the cleaning, because there is still a little to do...
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 18 May 2008 - 07:26 AM

Thanks again..

PPS Accelerator is one of the "plugin" for PPStream, anything wrong with it?

also, "O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE" should be part of the sound manager, it is infected or something?


Here's the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:18 PM, on 5/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\snpstd3\tsnpstd3.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
D:\HiJackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\Program Files\Common Files\snpstd3\tsnpstd3.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Startup: 珊瑚虫.lnk = C:\Program Files\Tencent\QQ\CoralQQ.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210256026687
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 7781 bytes

Edited by DaRkSkY, 18 May 2008 - 07:28 AM.


#9 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 18 May 2008 - 07:27 AM

Here's the ComboFix log..

ComboFix 08-05-15.3 - Owner 2008-05-18 21:14:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.541 [GMT 8:00]
Running from: D:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Incesoft\XiaoiAlerts
C:\Program Files\Incesoft\XiaoiAlerts\capture.dll
C:\Program Files\Incesoft\XiaoiAlerts\config.dat
C:\Program Files\Incesoft\XiaoiAlerts\menupics\comic.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\dream.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\dy.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\fy.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\game.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\girl.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\helpcenter.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\joke.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\kaiyun.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\map.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\menuleft.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\money.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\music.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\stock.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\stock2.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\ti.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\tq.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\video.png
C:\Program Files\Incesoft\XiaoiAlerts\menupics\zazhi.png
C:\Program Files\Incesoft\XiaoiAlerts\MSNMessengerLib.dll
C:\Program Files\Incesoft\XiaoiAlerts\msnplugin.dll
C:\Program Files\Incesoft\XiaoiAlerts\uninstall.exe
C:\Program Files\Incesoft\XiaoiAlerts\xdconfig.xml
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiDesktop.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe
C:\WINDOWS\system32\_004136_.tmp.dll
C:\WINDOWS\system32\_004137_.tmp.dll
C:\WINDOWS\system32\_004138_.tmp.dll
C:\WINDOWS\system32\_004139_.tmp.dll
C:\WINDOWS\system32\_004146_.tmp.dll
C:\WINDOWS\system32\_004147_.tmp.dll
C:\WINDOWS\system32\_004148_.tmp.dll
C:\WINDOWS\system32\_004149_.tmp.dll
C:\WINDOWS\system32\_004151_.tmp.dll
C:\WINDOWS\system32\_004152_.tmp.dll
C:\WINDOWS\system32\_004155_.tmp.dll
C:\WINDOWS\system32\_004156_.tmp.dll
C:\WINDOWS\system32\_004158_.tmp.dll
C:\WINDOWS\system32\_004159_.tmp.dll
C:\WINDOWS\system32\_004160_.tmp.dll
C:\WINDOWS\system32\_004162_.tmp.dll
C:\WINDOWS\system32\_004163_.tmp.dll
C:\WINDOWS\system32\_004165_.tmp.dll
C:\WINDOWS\system32\_004166_.tmp.dll
C:\WINDOWS\system32\_004168_.tmp.dll
C:\WINDOWS\system32\_004170_.tmp.dll
C:\WINDOWS\system32\_004171_.tmp.dll
C:\WINDOWS\system32\_004173_.tmp.dll
C:\WINDOWS\system32\_004176_.tmp.dll
C:\WINDOWS\system32\_004178_.tmp.dll
C:\WINDOWS\system32\_004179_.tmp.dll
C:\WINDOWS\system32\_004180_.tmp.dll
C:\WINDOWS\system32\_004181_.tmp.dll
C:\WINDOWS\system32\_004182_.tmp.dll
C:\WINDOWS\system32\_004185_.tmp.dll
C:\WINDOWS\system32\_004186_.tmp.dll
C:\WINDOWS\system32\_004187_.tmp.dll
C:\WINDOWS\system32\_004188_.tmp.dll
C:\WINDOWS\system32\_004189_.tmp.dll
C:\WINDOWS\system32\_004194_.tmp.dll
C:\WINDOWS\system32\_004196_.tmp.dll
C:\WINDOWS\system32\_004197_.tmp.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\btcusb.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 15:48 . 2008-05-18 21:13 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-05-16 20:17 . 2008-05-16 20:17 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-16 18:43 . 2008-05-16 18:43 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-05-16 18:33 . 2008-05-16 18:34 13 --a------ C:\WINDOWS\msgtn.ini
2008-05-16 01:27 . 2008-04-14 08:12 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2008-05-16 01:27 . 2008-04-14 08:12 28,672 --a------ C:\WINDOWS\system32\drivers\vidcap.ax
2008-05-16 01:26 . 2008-04-14 08:12 91,136 --a------ C:\WINDOWS\system32\drivers\kswdmcap.ax
2008-05-16 01:26 . 2008-04-14 08:12 61,952 --a------ C:\WINDOWS\system32\drivers\kstvtune.ax
2008-05-16 01:26 . 2008-04-14 08:12 43,008 --a------ C:\WINDOWS\system32\drivers\ksxbar.ax
2008-05-15 02:12 . 2008-05-15 02:12 45 --a------ C:\WINDOWS\AFX.INI
2008-05-13 18:05 . 2008-05-13 18:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-05-13 17:42 . 2008-05-13 17:43 <DIR> d-------- C:\Program Files\ImgBurn
2008-05-13 16:56 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-13 16:44 . 1999-08-18 09:54 180,224 --------- C:\WINDOWS\system32\ijl11.dll
2008-05-13 16:44 . 2002-11-27 00:53 53,248 --------- C:\WINDOWS\system32\KPic10.dll
2008-05-13 16:44 . 2003-06-19 19:47 45,056 --------- C:\WINDOWS\system32\KShotScreen.dll
2008-05-13 16:44 . 2003-06-19 22:07 16,768 --a------ C:\WINDOWS\system32\drivers\quakedrv.sys
2008-05-12 21:43 . 2008-05-12 21:43 230,424 --a------ C:\img2-001.raw
2008-05-11 23:23 . 2008-05-11 23:23 <DIR> dr------- C:\Documents and Settings\Owner\Application Data\Brother
2008-05-11 14:32 . 2008-05-11 14:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tencent
2008-05-11 02:26 . 2008-05-11 02:26 <DIR> dr-h----- C:\MSOCache
2008-05-11 00:59 . 2008-05-11 00:59 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-10 17:29 . 2008-05-11 21:06 416 --a------ C:\WINDOWS\kaillera.ini
2008-05-10 17:23 . 2008-05-10 17:23 <DIR> d-------- C:\Program Files\CyberLink
2008-05-10 17:23 . 2008-05-10 17:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-05-10 16:01 . 2008-05-10 16:01 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-05-10 15:54 . 2008-05-10 15:54 <DIR> d-------- C:\Program Files\Real
2008-05-10 15:54 . 2008-05-10 15:54 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-10 15:54 . 2008-05-10 15:54 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-10 14:26 . 2008-05-10 14:26 685,322 --a------ C:\WINDOWS\unins000.exe
2008-05-10 14:26 . 2008-05-10 14:26 4,373 --a------ C:\WINDOWS\unins000.dat
2008-05-10 13:57 . 2008-05-18 20:56 45 --a------ C:\WINDOWS\PCDNSetting.ini
2008-05-10 13:57 . 2008-05-18 20:56 27 --a------ C:\WINDOWS\ppssg.ini
2008-05-10 13:55 . 2008-05-10 14:27 20 --a------ C:\WINDOWS\powerlist.ini
2008-05-10 13:54 . 2008-05-18 18:14 <DIR> d-------- C:\Program Files\PPStream
2008-05-10 13:54 . 2008-05-18 20:57 1,089 --a------ C:\WINDOWS\psnetwork.ini
2008-05-10 13:54 . 2008-05-18 18:52 626 --a------ C:\WINDOWS\powerplayer.ini
2008-05-09 23:24 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-05-09 23:16 . 2008-05-15 22:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-09 23:11 . 2008-02-27 07:29 5,760,054 --a------ C:\WINDOWS\Utopia-wallpaper-4x3.bmp
2008-05-09 18:00 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-09 18:00 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-09 01:05 . 2008-05-17 00:32 162,432 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-05-08 23:39 . 2002-04-29 23:44 153,718 --a------ C:\WINDOWS\boot.bmp
2008-05-08 23:39 . 2008-05-08 23:49 211 --ahs---- C:\boot_bk.ini
2008-05-08 22:57 . 2008-05-08 22:57 1,027,504 --a------ C:\WINDOWS\system32\ntoskrnl.rar
2008-05-08 22:33 . 2008-05-08 22:33 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-08 22:14 . 2008-05-08 22:14 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2008-05-08 21:43 . 2008-05-08 21:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-08 21:34 . 2008-05-08 21:34 <DIR> d-------- C:\Documents and Settings\Owner\Contacts
2008-05-08 21:27 . 2008-05-08 21:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-05-08 21:17 . 2008-05-08 21:18 <DIR> d-------- C:\WINDOWS\system32\Resources
2008-05-08 21:14 . 2008-04-14 08:12 514,560 --a------ C:\WINDOWS\system32\lgstar.exe
2008-05-08 21:14 . 2008-05-08 21:14 244 --ah----- C:\sqmnoopt03.sqm
2008-05-08 21:14 . 2008-05-08 21:14 232 --ah----- C:\sqmdata03.sqm
2008-05-08 20:47 . 2008-05-18 21:14 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\NTUSER.DAT.LOG
2008-05-08 20:47 . 2008-05-08 20:47 244 --ah----- C:\sqmnoopt02.sqm
2008-05-08 20:47 . 2008-05-08 20:47 232 --ah----- C:\sqmdata02.sqm
2008-05-08 20:14 . 2008-05-08 20:14 244 --ah----- C:\sqmnoopt01.sqm
2008-05-08 20:14 . 2008-05-08 20:14 232 --ah----- C:\sqmdata01.sqm
2008-05-08 16:53 . 2008-05-08 20:50 132,981 --a------ C:\WINDOWS\system32\logonui.rar
2008-05-08 16:42 . 2008-05-08 16:42 244 --ah----- C:\sqmnoopt00.sqm
2008-05-08 16:42 . 2008-05-08 16:42 232 --ah----- C:\sqmdata00.sqm
2008-05-08 04:37 . 2008-04-14 02:40 57,600 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-05-08 04:37 . 2001-08-17 21:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-05-08 04:36 . 2008-04-14 08:12 151,552 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 04:36 . 2008-04-14 02:54 88,192 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 04:36 . 2001-08-17 20:10 35,913 --a------ C:\WINDOWS\system32\drivers\smcirda.sys
2008-05-08 04:36 . 2008-04-14 08:11 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 04:36 . 2001-08-17 21:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 04:36 . 2008-04-14 08:12 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 04:35 . 2008-04-14 08:12 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-05-08 04:35 . 2001-08-17 21:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-05-08 04:35 . 2008-04-14 02:40 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-05-08 04:35 . 2004-01-17 20:15 4,864 --a------ C:\WINDOWS\system32\drivers\fuj02e3.sys
2008-05-08 04:34 . 2008-04-14 02:36 14,208 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-05-08 04:34 . 2008-04-14 02:36 13,952 --a------ C:\WINDOWS\system32\drivers\cmbatt.sys
2008-05-08 04:34 . 2008-04-14 02:36 10,240 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-05-08 04:31 . 2008-05-08 20:47 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS
2008-05-08 04:31 . 2008-05-09 21:36 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-05-08 04:27 . 2008-05-07 20:52 1,306 --a------ C:\WINDOWS\system32\$winnt$.inf
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Program Files\WinCustomize
2008-05-08 02:16 . 2008-05-08 02:16 218,624 --------- C:\WINDOWS\system32\uxtheme.rxp
2008-05-08 02:16 . 2008-05-08 02:16 218,624 --a--c--- C:\WINDOWS\system32\dllcache\uxtheme.rxp
2008-05-08 02:00 . 2008-05-18 20:56 57,465 --a------ C:\WINDOWS\system32\oodbs.lor
2008-05-08 01:59 . 2008-05-10 19:28 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-05-08 01:51 . 2008-05-08 01:51 0 --a------ C:\WINDOWS\OODCNT.INI
2008-05-08 01:21 . 2008-05-08 01:21 <DIR> d-------- C:\Program Files\OO Software
2008-05-08 01:11 . 2008-05-10 23:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\QQUpdate
2008-05-08 01:10 . 2008-05-08 01:10 <DIR> d-------- C:\Program Files\AuthenTec
2008-05-08 00:55 . 2008-05-08 00:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\QQMusicUpdate
2008-05-08 00:01 . 2008-05-08 21:36 24 --a------ C:\WINDOWS\LogonStudio.ini
2008-05-08 00:00 . 2000-05-17 09:52 187,392 --a------ C:\WINDOWS\system32\JPGUtils.dll
2008-05-07 23:55 . 2008-05-07 23:55 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-07 23:54 . 2008-05-07 23:54 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-07 23:54 . 2008-05-07 23:54 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-07 23:54 . 2008-05-07 23:55 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-07 23:51 . 2008-05-07 23:55 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 23:50 . 2008-05-07 23:50 0 --------- C:\WINDOWS\WB.ini
2008-05-07 23:49 . 2008-04-26 16:14 42,672 --------- C:\WINDOWS\system32\wbsys.dll
2008-05-07 23:40 . 2008-05-08 20:29 <DIR> d-------- C:\WINDOWS\EHome
2008-05-07 23:31 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-07 23:21 . 2008-05-09 01:05 <DIR> d-------- C:\Program Files\Stardock
2008-05-07 23:21 . 2008-05-07 23:21 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-05-07 23:15 . 2008-05-07 23:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nexon
2008-05-07 23:11 . 2008-05-08 01:18 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-07 23:10 . 2008-04-14 08:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-07 23:01 . 2008-05-07 23:01 288 --a------ C:\WINDOWS\ODBC.INI
2008-05-07 23:00 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-05-07 23:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-07 23:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-07 23:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-07 23:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-07 22:52 . 2008-05-07 22:52 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-05-07 22:48 . 2008-05-07 22:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-07 22:47 . 2008-05-10 16:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 22:47 . 2008-05-07 22:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 22:34 . 2008-04-14 02:46 85,248 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2008-05-07 22:34 . 2008-04-14 02:46 19,200 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2008-05-07 22:34 . 2008-04-14 02:46 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2008-05-07 22:34 . 2008-04-14 08:12 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-05-07 22:34 . 2008-04-14 02:46 15,232 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2008-05-07 22:34 . 2008-04-14 02:46 11,136 --a------ C:\WINDOWS\system32\drivers\slip.sys
2008-05-07 22:34 . 2008-04-14 02:46 10,880 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2008-05-07 22:34 . 2008-04-14 02:39 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 13:14 --------- d-----w C:\Program Files\Incesoft
2008-05-13 09:15 --------- d-----w C:\Program Files\Microsoft Works
2008-05-11 10:24 --------- d-----w C:\Program Files\Tencent
2008-05-11 04:39 --------- d-----w C:\Program Files\SogouInput
2008-05-10 18:17 --------- d-----w C:\Program Files\MSBuild
2008-05-10 09:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 07:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-10 07:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-09 09:56 --------- d-----w C:\Program Files\V-Gear BEE
2008-05-08 15:32 --------- d-----w C:\Program Files\Windows Live
2008-05-08 11:49 4,325,888 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-05-07 14:17 --------- d-----w C:\Program Files\Java
2008-05-07 14:16 --------- d-----w C:\Program Files\Common Files\snpstd3
2008-05-07 14:11 --------- d-----w C:\Program Files\TTPlayer
2008-05-07 13:59 --------- d-----w C:\Program Files\IrfanView
2008-05-07 13:53 --------- d-----w C:\Program Files\QuickTime
2008-05-07 13:40 --------- d-----w C:\Program Files\Prolink Hurricane 9000C
2008-05-04 16:12 --------- d-----w C:\Documents and Settings\XiaoZi\Application Data\U3
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:15 218,134 ----a-w C:\WINDOWS\AppPatch\SET6AE.tmp
2008-04-14 00:15 204,396 ----a-w C:\WINDOWS\AppPatch\SET6AD.tmp
2008-04-14 00:15 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET6AC.tmp
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 299,520 ------w C:\WINDOWS\system32\SET1291.tmp
2008-04-14 00:13 299,520 ------w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\SET411.tmp
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 177,152 ----a-w C:\WINDOWS\system32\SET11FF.tmp
2008-04-14 00:10 14,848 ----a-w C:\WINDOWS\system32\SET428.tmp
2008-04-13 21:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-13 21:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-13 21:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:27 2,473,600 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
.

------- Sigcheck -------

2008-04-14 03:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-14 03:27 2473600 a09b0a29d94b95af87130ca348f929cf C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 03:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:12 15360]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-04-24 18:09 162976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LoadFUJ02E3"="C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-03-24 14:28 69632]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 10:53 81920]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-07-01 15:58 88201 C:\WINDOWS\AGRSMMSG.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-03 15:15 725082]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2005-03-24 14:43 242688]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-03-24 14:41 61440]
"ATSwpNav"="C:\Program Files\Fingerprint Sensor\ATSwpNav -run" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 11:39 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 11:43 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 21:12 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 21:10 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 14:51 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 15:58 65536]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 15:55 339968]
"tsnpstd3"="C:\Program Files\Common Files\snpstd3\tsnpstd3.exe" [2005-12-20 14:39 94208]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 19:39 14850560 C:\WINDOWS\RTHDCPL.EXE]
"Microsoft Pinyin IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.exe" [2006-10-26 14:53 32560]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 08:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\XiaoZi\Start Menu\Programs\Startup\
QQ游戏启动加速程序.lnk - C:\Program Files\Tencent\QQGAME\Accel.exe [2008-03-18 18:09:34 42424]
Scheduler.lnk - C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe [2008-05-07 21:42:56 464240]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
Scheduler.lnk - C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe [2008-05-07 21:42:56 464240]
珊瑚虫.lnk - C:\Program Files\Tencent\QQ\CoralQQ.exe [2007-02-14 22:25:16 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="%windir%\\Resources\\LogonUI\\peaceful-fantasies\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-05-08 01:38 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQPet\\QQPetAgent.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQPet\\QQPenguin\\QQPenguin.EXE"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\V-Gear BEE\\VBService.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQMusic.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Games\\三国战纪\\kaillerasrv.exe"=
"C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQLiveUpdate.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Tencent\\QQ\\QzoneMusic.exe"=
"D:\\Games\\DcOo CS1.6 中文版\\cstrike.exe"=
"C:\\Program Files\\Tencent\\QQGAME\\QQGameDl.exe"=
"D:\\Games\\DcOo CS1.6 中文版\\hltv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Games\\y1???\\kaillerasrv.exe"=
"D:\\Games\\DcOo CS1.6 ?D???\\cstrike.exe"=
"D:\\Games\\DcOo CS1.6 ?D???\\hltv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:W3
"6112:UDP"= 6112:UDP:wc3

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2005-07-08 14:06]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2005-04-07 16:28]
R0 QuakeDRV;QuakeDRV;C:\WINDOWS\system32\DRIVERS\quakedrv.sys [2003-06-19 22:07]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;C:\WINDOWS\system32\DRIVERS\FUJ02E3.sys [2004-01-17 20:15]
S1 rxp;rxp;C:\WINDOWS\system32\drivers\rxp.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 21:17:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 21:19:14
ComboFix-quarantined-files.txt 2008-05-18 13:19:05

Pre-Run: 19,789,254,656 bytes free
Post-Run: 19,842,453,504 bytes free

417 --- E O F --- 2008-05-17 15:57:12

#10 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 18 May 2008 - 07:31 AM

Something to add..

i see ComboFix deleted files in "C:\Program Files\Incesoft\XiaoiAlerts"

i wonder is it something wrong with it?

as i don't the see harms that it caused to me

Edited by DaRkSkY, 18 May 2008 - 07:32 AM.


#11 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 19 May 2008 - 06:53 PM

Hi again!!..:).

PPS Accelerator is one of the "plugin" for PPStream, anything wrong with it?


No, I don't think so... I just wanted to make sure... Sometimes it is better to ask!..:).

also, "O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE" should be part of the sound manager, it is infected or something?


Yes, it's considered malware...

Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers.

So we always ask users to remove it...

Something to add..

i see ComboFix deleted files in "C:\Program Files\Incesoft\XiaoiAlerts"

i wonder is it something wrong with it?

as i don't the see harms that it caused to me


Hmmm... As far as I know it's often installed without user's approval...

Did you install it??.. Have you been using this program??.. Let me know!.. :thumbup:

I'll review ComboFix log later tomorrow... I'm sorry, but I had a really busy day... :huh:
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 23 May 2008 - 12:27 PM

Hihi...

it seems bad..

the thread were cleared too..

anyway.. here's the report


BitDefender Online Scanner


Scan report generated at: Thu, May 22, 2008 - 19:50:01

Scan path: C:\;D:\;E:\;G:\;


Statistics

Time


00:47:39

Files


114432

Folders


6940

Boot Sectors


3

Archives


1209

Packed Files


371







Results

Identified Viruses


7

Infected Files


127

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


126







Engines Info

Virus Definitions


1175572

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


4

Archive plugins


11

Unpack plugins


3

E-mail plugins


1

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Autorun.inf


Infected with: Win32.Worm.VB.NPM

C:\Autorun.inf


Deleted

C:\Recycled\INFO.EXE


Infected with: Win32.Worm.VB.NRM

C:\Recycled\INFO.EXE


Disinfection failed

C:\Recycled\INFO.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP41\A0017966.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP41\A0017966.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018128.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018128.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018173.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018173.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018235.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018235.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019235.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019235.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019263.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019263.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020304.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020304.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020342.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020342.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020790.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020790.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021101.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021101.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021165.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021165.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023522.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023522.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023523.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023523.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023525.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023525.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023527.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023527.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023527.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023538.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023538.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023539.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023539.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023541.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023541.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023543.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023543.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023543.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023563.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023563.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023564.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023564.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023565.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023565.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023567.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023567.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023567.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023579.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023579.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023580.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023580.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023581.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023581.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023583.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023583.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023583.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024579.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024579.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024580.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024580.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024581.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024581.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024584.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024584.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024584.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024610.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024610.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024611.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024611.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024612.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024612.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024614.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024614.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024614.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024660.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024660.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024661.exe


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024661.exe


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024662.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024662.inf


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024664.EXE


Infected with: Win32.Worm.VB.NRM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024664.EXE


Disinfection failed

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024664.EXE


Deleted

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024716.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024716.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019864.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019864.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019951.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019951.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020026.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020026.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020044.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020044.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020060.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020060.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020071.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020071.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020084.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020084.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020094.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020094.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020105.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020105.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020376.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020376.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020394.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020394.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020405.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020405.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020416.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020416.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020436.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020436.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020714.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020714.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020732.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020732.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021751.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021751.inf


Deleted

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021775.inf


Infected with: Win32.Worm.VB.NPM

C:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021775.inf


Deleted

C:\WINDOWS\Config\Svchost.exe


Infected with: Win32.Worm.VB.NPM

C:\WINDOWS\Config\Svchost.exe


Deleted

C:\WINDOWS\Config\System.exe


Infected with: Win32.Worm.VB.NPM

C:\WINDOWS\Config\System.exe


Deleted

C:\WINDOWS\System.exe


Infected with: Win32.Worm.VB.NRM

C:\WINDOWS\System.exe


Disinfection failed

C:\WINDOWS\System.exe


Delete failed

D:\Autorun.inf


Infected with: Win32.Worm.VB.NPM

D:\Autorun.inf


Deleted

D:\Recycled\INFO.EXE


Infected with: Win32.Worm.VB.NRM

D:\Recycled\INFO.EXE


Disinfection failed

D:\Recycled\INFO.EXE


Deleted

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP125\A0056613.rbf


Infected with: DeepScan:Generic.Malware.G!SDHVg.BBACE0D9

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP125\A0056613.rbf


Disinfection failed

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP125\A0056613.rbf


Deleted

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP134\A0059867.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP134\A0059867.inf


Deleted

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP135\A0059939.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP135\A0059939.inf


Deleted

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP135\A0060017.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP135\A0060017.inf


Deleted

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP136\A0060120.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP136\A0060120.inf


Deleted

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP136\A0060139.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{1EF2DDA0-045B-47E4-8742-A752F656EA50}\RP136\A0060139.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP41\A0017969.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP41\A0017969.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018132.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018132.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018176.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018176.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018239.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0018239.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019238.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019238.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019267.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP43\A0019267.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020307.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020307.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020345.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020345.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020794.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP49\A0020794.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021104.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021104.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021168.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP51\A0021168.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023528.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023528.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023530.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023530.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023530.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023545.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023545.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023547.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023547.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023547.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023568.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023568.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023571.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023571.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023571.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023584.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023584.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023587.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023587.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0023587.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024585.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024585.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024587.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024587.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP56\A0024587.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024616.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024616.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024618.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024618.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024618.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024665.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024665.inf


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024667.EXE


Infected with: Win32.Worm.VB.NRM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024667.EXE


Disinfection failed

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024667.EXE


Deleted

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024718.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{93732394-077A-46CE-8CAA-981FCA4EA84C}\RP57\A0024718.inf


Deleted

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP12\A0000444.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP12\A0000444.inf


Deleted

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP12\A0000466.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP12\A0000466.inf


Deleted

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP17\A0000570.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP17\A0000570.inf


Deleted

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP17\A0000618.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP17\A0000618.inf


Deleted

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP57\A0001279.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{98F0233B-51AE-4ED9-8578-27C7DFD6288F}\RP57\A0001279.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019867.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019867.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019954.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0019954.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020031.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020031.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020047.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020047.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020063.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020063.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020074.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020074.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020087.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020087.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020097.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP64\A0020097.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020354.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020354.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020379.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020379.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020397.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020397.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020408.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020408.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020419.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020419.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020439.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020439.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020717.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020717.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020735.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020735.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020742.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0020742.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021754.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021754.inf


Deleted

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021778.inf


Infected with: Win32.Worm.VB.NPM

D:\System Volume Information\_restore{C6E572ED-0E54-45CA-A125-17462C3C7191}\RP65\A0021778.inf


Deleted

D:\Tools\Crack\sothink.exe


Infected with: Trojan.Generic.257205

D:\Tools\Crack\sothink.exe


Disinfection failed

D:\Tools\Crack\sothink.exe


Deleted

D:\_OTMoveIt\MovedFiles\05222008_184528\Games\WinAircrackPack\aircrack.exe


Infected with: Trojan.NTPacker

D:\_OTMoveIt\MovedFiles\05222008_184528\Games\WinAircrackPack\aircrack.exe


Disinfection failed

D:\_OTMoveIt\MovedFiles\05222008_184528\Games\WinAircrackPack\aircrack.exe


Deleted

D:\_OTMoveIt\MovedFiles\05222008_184528\Recycled\INFO.EXE


Infected with: Win32.Worm.VB.NRM

D:\_OTMoveIt\MovedFiles\05222008_184528\Recycled\INFO.EXE


Disinfection failed

D:\_OTMoveIt\MovedFiles\05222008_184528\Recycled\INFO.EXE


Deleted

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\Config\Svchost.exe


Infected with: Win32.Worm.VB.NPM

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\Config\Svchost.exe


Deleted

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\Config\System.exe


Infected with: Win32.Worm.VB.NPM

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\Config\System.exe


Deleted

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\System.exe


Infected with: Win32.Worm.VB.NRM

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\System.exe


Disinfection failed

D:\_OTMoveIt\MovedFiles\05222008_184528\WINDOWS\System.exe


Deleted

Edited by DaRkSkY, 23 May 2008 - 12:29 PM.


#13 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 23 May 2008 - 12:28 PM

MoveIt log

C:\Recycled\INFO.EXE moved successfully.
C:\WINDOWS\Config\Svchost.exe moved successfully.
C:\WINDOWS\Config\System.exe moved successfully.
C:\WINDOWS\System.exe moved successfully.
D:\Games\WinAircrackPack\aircrack.exe moved successfully.
D:\Recycled\INFO.EXE moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05222008_184528




HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:56 PM, on 5/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TXPlatform.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Thunder Network\Thunder\Plugins\XLSafeHost\ThunderKAV\bin\ScanningProcess.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
D:\HiJackThis.exe

F3 - REG:win.ini: load=System
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210256026687
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 8479 bytes

#14 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 23 May 2008 - 01:05 PM

Hi again DaRkSkY!..

We had problems with the forum: read here
Anyway, I'm glad you posted the logs!..

The bad information: infection is back once again... :hmmm:
I'll review the logs later today to check what I'm missing... I think I know, but I'll have to think about it... :).
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 23 May 2008 - 06:01 PM

The bad information: infection is back once again... :hmmm:

... or maybe not completely removed after it got regenerated... ;)..

Anyway, if it's still fully active, I would like to attack it in a different way...

Please download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your Desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Please plug in any pendrives (or Flash disks) you use, any USB memory cards, etc. - they may be infected and reinfect you every time you plug them in...
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Edited by snemelk, 23 May 2008 - 06:03 PM.

c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#16 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 23 May 2008 - 10:51 PM

Hi,

It could be my pendrive?
But my pendrive have it own anti-virus (McAfee),
i think it would be low chance to be infected.

The report can't be display.. so u uploaded it.
due to size limitation, i uploaded to Mediafire.

Here's the link

http://www.mediafire.com/?xbmn1jmnthb

Edited by DaRkSkY, 23 May 2008 - 10:57 PM.


#17 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 24 May 2008 - 05:51 PM

Hi again!..

Yes, your pendrive is infected...

Anyway, the infection keeps regenerating whenever you click the disc icon or plug infected pendrive...
You can read about the infection here and here.

Plug in the pendrives the same way you did before...
I want you to have an infected pendrive visible as I:\
Drive I: | 3.81 Gb Total Space | 2.14 Gb Free Space | 56.21% Space Free | Partition Type: FAT32
It's imortant...

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Processes - Non-Microsoft Only]
NY -> system.exe -> %SystemRoot%\System.exe
[Driver Services - Non-Microsoft Only]
NY -> (rxp) rxp [Kernel | System | Stopped] -> %SystemRoot%\system32\drivers\rxp.sys
[Registry - Non-Microsoft Only]
< Windows NT\\Load [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\load
NY -> System -> %SystemRoot%\System.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
NY -> System -> %SystemRoot%\System.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Drives - Autoruns > -> 
NY -> Autorun.inf [[autorun] | open= |  | shell\open\Command=RECYCLED\INFO.exe | shell\open\Default=1 | shell\explore\Command=RECYCLED\INFO.exe | ] -> %SystemDrive%\Autorun.inf [ NTFS ]
NY -> Autorun.inf [[autorun] | open= |  | shell\open\Command=RECYCLED\INFO.exe | shell\open\Default=1 | shell\explore\Command=RECYCLED\INFO.exe | ] -> D:\Autorun.inf [ NTFS ]
NY -> Autorun.inf [[autorun] | open= |  | shell\open\Command=RECYCLED\INFO.exe | shell\open\Default=1 | shell\explore\Command=RECYCLED\INFO.exe | ] -> I:\Autorun.inf [ FAT32 ]
[Files/Folders - Created Within 30 days]
NY -> Autorun.inf -> %SystemDrive%\Autorun.inf
NY -> ALCMTR.EXE -> %SystemRoot%\ALCMTR.EXE
[Files/Folders - Modified Within 30 days]
NY -> Autorun.inf -> %SystemDrive%\Autorun.inf
NY -> Recycled -> %SystemDrive%\Recycled
[Extra Files]
C:\Recycled
D:\Recycled
I:\Recycled
C:\WINDOWS\Config\Svchost.exe
C:\WINDOWS\Config\System.exe
C:\WINDOWS\System.exe

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.


Post also a fresh HijackThis log...

An antivirus on U3 platform on pendrive doesn't give you enough protection because it is not a real time scanner...

Looking over your log, it seems you don't have any evidence of an anti-virus software. This is suicidal in today's world.

Here are my three proposals. They are free versions of commercial programs. Please download, install, and update an antivirus program - choose only ONE.

AVG,
Help overview http://free.grisoft....num/616#faq_616

Avira
Avira PersonalEdition Classic
http://www.free-av.c.../allinonen.html

Here is a tutorial on it's setup and use:
http://www.techsuppo...rticles/64.html

Avast!
How to Install, Configure, and Use Avast Antivirus

Then please perform a full system scan with installed antivirus and post the results...

I'm waiting for the logs!!..
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#18 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 25 May 2008 - 06:16 AM

Hi..

Sorry, i was quite busy with school work...

Here's OTScanIT log

[Processes - Non-Microsoft Only]
Process system.exe killed successfully.
C:\WINDOWS\System.exe moved successfully.
[Driver Services - Non-Microsoft Only]
Service rxp stopped successfully.
Service rxp deleted successfully.
File C:\WINDOWS\system32\drivers\rxp.sys not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\System not found.
File C:\WINDOWS\System.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:System deleted successfully.
File C:\WINDOWS\System.exe not found.
C:\Autorun.inf moved successfully.
D:\Autorun.inf moved successfully.
I:\Autorun.inf moved successfully.
[Files/Folders - Created Within 30 days]
File C:\Autorun.inf not found!
C:\WINDOWS\ALCMTR.EXE moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\Autorun.inf not found!
C:\Recycled folder moved successfully.
[Extra Files]
< C:\Recycled >
File/Folder C:\Recycled not found.
< D:\Recycled >
D:\Recycled folder moved successfully.
< I:\Recycled >
I:\Recycled folder moved successfully.
< C:\WINDOWS\Config\Svchost.exe >
C:\WINDOWS\Config\Svchost.exe moved successfully.
< C:\WINDOWS\Config\System.exe >
C:\WINDOWS\Config\System.exe moved successfully.
< C:\WINDOWS\System.exe >
File/Folder C:\WINDOWS\System.exe not found.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.3 fix logfile created on 05252008_134942


HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:49 PM, on 5/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TXPlatform.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\HiJackThis.exe

F3 - REG:win.ini: load=System
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210256026687
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 8700 bytes

#19 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 25 May 2008 - 06:17 AM

Report from AVG

Scan "Scan whole computer" was finished.
Infections found:;"10"
Infected objects removed or healed;"10"
Not removed or healed.;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"50"
Information count:;"0"
Scan started:;"Sunday, May 25, 2008, 2:28:27 PM"
Total object scanned:;"531667"
Time needed:;"5 hour(s) 3 minute(s) 22 second(s) "
Errors encountered:;"0"

Infections
File;"Infection";"Result"
C:\Documents and Settings\All Users.WINDOWS\Application Data\Thunder Network\KanKan\PlayerHelper.dll;"Trojan horse Proxy.ABRN";"Moved to Virus Vault"
C:\Program Files\Thunder Network\Thunder\Components\InMedia\PlayerHelper.dll;"Trojan horse Proxy.ABRN";"Moved to Virus Vault"
D:\OTScanIt\MovedFiles\05252008_134942\C_\Recycled\INFO.EXE;"Trojan horse Dropper.Generic.TEL";"Moved to Virus Vault"
D:\OTScanIt\MovedFiles\05252008_134942\C_WINDOWS\Config\Svchost.exe;"Virus identified Worm/Generic.EHY";"Moved to Virus Vault"
D:\OTScanIt\MovedFiles\05252008_134942\C_WINDOWS\Config\System.exe;"Virus identified Worm/Generic.EHY";"Moved to Virus Vault"
D:\OTScanIt\MovedFiles\05252008_134942\C_WINDOWS\System.exe;"Trojan horse Dropper.Generic.TEL";"Moved to Virus Vault"
D:\OTScanIt\MovedFiles\05252008_134942\D_\Recycled\INFO.EXE;"Trojan horse Dropper.Generic.TEL";"Moved to Virus Vault"
D:\OTScanIt\MovedFiles\05252008_134942\I_\Recycled\INFO.EXE;"Trojan horse Dropper.Generic.TEL";"Moved to Virus Vault"
D:\Tools\Audi WM.zip:\4vnDW\4vnDW.exe;"Virus identified Worm/Spybot.BMF";"Moved to Virus Vault"
D:\Tools\Audi WM.zip;"Virus identified Worm/Spybot.BMF";"Moved to Virus Vault"

Warnings
File;"Infection";"Result"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66};"Found Adware.RogueSuspect";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593};"Found Adware.RogueSuspect";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tribalfusion.com.9bc3e98f;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tribalfusion.com.8b22ad8c;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tribalfusion.com.7610f0e0;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.e762f029;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.557bf2b0;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.b68f2b7b;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.830b6f08;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.ff92306;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.539b0606;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\ad.yieldmanager.com.8a47878;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\revsci.net.3f4566dd;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\revsci.net.55564293;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\revsci.net.2df99d79;"Found Tracking cookie.Revsci";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\fastclick.net.8a6435e9;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\fastclick.net.fac3d6f0;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\fastclick.net.57e8da10;"Found Tracking cookie.Fastclick";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\statcounter.com.49a7cca2;"Found Tracking cookie.Statcounter";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\statcounter.com.e927637c;"Found Tracking cookie.Statcounter";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\statcounter.com.60834fac;"Found Tracking cookie.Statcounter";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\statcounter.com.88ab393f;"Found Tracking cookie.Statcounter";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\hitbox.com.bbf2a6e8;"Found Tracking cookie.Hitbox";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\hitbox.com.2b95f8a3;"Found Tracking cookie.Hitbox";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tacoda.net.e9f57f8;"Found Tracking cookie.Tacoda";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\advertising.com.203aa218;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tacoda.net.ed9c50d1;"Found Tracking cookie.Tacoda";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tacoda.net.27341d57;"Found Tracking cookie.Tacoda";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tacoda.net.5935e89;"Found Tracking cookie.Tacoda";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tacoda.net.d323296e;"Found Tracking cookie.Tacoda";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\advertising.com.b624fa46;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\advertising.com.f62113d5;"Found Tracking cookie.Advertising";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tacoda.net.c4fe2ebb;"Found Tracking cookie.Tacoda";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\tradedoubler.com.eab0972e;"Found Tracking cookie.Tradedoubler";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\adbrite.com.e3b6fcdd;"Found Tracking cookie.Adbrite";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\adbrite.com.d5e309c2;"Found Tracking cookie.Adbrite";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\adbrite.com.71beeff9;"Found Tracking cookie.Adbrite";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\overture.com.8e32a996;"Found Tracking cookie.Overture";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\casalemedia.com.3a28db8d;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\casalemedia.com.80ad4799;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\casalemedia.com.f31be13a;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\casalemedia.com.1773afc;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt:\casalemedia.com.987e6b46;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
C:\Documents and Settings\XiaoZi\Application Data\Mozilla\Firefox\Profiles\68r7uc0t.default\cookies.txt;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"

#20 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 25 May 2008 - 07:36 AM

Sorry, i was quite busy with school work...

Hi again!!..:).

I understand you because I have also much to do for school..:D.

Anyway, it looks nice..:).

Please run a scan in HijackThis and check the following item:

F3 - REG:win.ini: load=System


Then, close all open windows, except HijackThis and click: Fix checked.

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66}]

[-HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

To remove all of the tools we used and the files and folders they created do the following:

  • Start OTScanIt
    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.

Please, set up a new System Restore point:

Turn off System Restore

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

The to turn it back on
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.


Updating Java:
  • Go here and download the latest version of Java:
    http://java.sun.com/...loads/index.jsp
  • Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    They should have this icon next to any that are there: Posted Image
    Select any found and click Remove.
  • Then install the version you downloaded earlier.

* Clean your Cache and Cookies in Firefox:

* Go to Tools > Options.
* Click Privacy in the menu..
* Click the Clear now button below.. A new window will popup what to clear.
* Select all and click the Clear button again.
* Click OK to close the Options window


Finally post a fresh HijackThis log!..:).

Edited by snemelk, 25 May 2008 - 07:38 AM.

c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#21 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 25 May 2008 - 05:09 PM

Hi again DaRkSkY!!..:).

One more question... I see you have Tencent QQ instant messaging program installed... The program is not well known in Western countries and sometimes classified as Adware...
Was this program installed by you on purpose??. Are you using this program??. Does it display many popups??..
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#22 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 30 May 2008 - 04:29 AM

Hi,

sorry for the delay, i just came back from a camp...

Everything is done

and

One more question... I see you have Tencent QQ instant messaging program installed... The program is not well known in Western countries and sometimes classified as Adware...
Was this program installed by you on purpose??. Are you using this program??. Does it display many popups??..


if i not wrong, Joker knows about this program,
i can only give you the basic information,

this program does popup and was installed by me :D , however you can turn off the popup if you chose to.


Here's the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:09 PM, on 5/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Tencent\QQ\TXPlatform.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tencent\QQ\qqpet\QQPenguin\QQPenguin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
D:\HiJackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210256026687
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 8742 bytes

#23 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 30 May 2008 - 04:14 PM

Hi again!!..

Thank you for the information and for the log!..:).

The HijackThis log looks clean... :thumbup:

One question, though... I see you didn't update Java... Older versions have vulnerabilities that malware can use to infect your system. I recommend you use the instructions provided in my previous post and update Java...

Updating Java:

  • Go here and download the latest version of Java (Java Runtime Environment (JRE) 6 Update 6):
    http://java.sun.com/...loads/index.jsp
  • Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    They should have this icon next to any that are there: Posted Image
    Select any found and click Remove.
  • Then install the version you downloaded earlier.


In order to prevent future infections follow these recommendations:

1. Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or remember to visit Windows Update on a regular basis to stay current with critical updates!

2. Install and run the following free programs:

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Tutorial - using IE-Spyad

Keep all these programs (including your anti-virus) up-to-date and run them regularly!
If you do not update regularly they will not be able to catch any of the new variants that may come out.

Whilst is important to have active protection against spyware, please do not run more than one antispyware program's real time protection at once, because they can conflict with each other.
The same applies to antiviruses and firewalls - only one program of the same type in resident mode.

3. Consider using an alternative browser, like Firefox or Opera . They are free, fast, fully customizable and secure - they are updated very quickly!

4. Last but not least, I recommend you to read Tony Klein's excellent article: How I got Infected in the First Place?

Hopefully this should take care of your problems! Good luck! :thumbup:
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#24 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 30 May 2008 - 10:56 PM

Hi..

Hmm.. i updated Jave in the later time,

the rest of the things i think it was quite alright..

So i think the thread can be closed now..

thanks for your hard work

#25 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 31 May 2008 - 07:55 AM

Hmm.. i updated Jave in the later time,


Ok, no problem... :).

So i think the thread can be closed now..

thanks for your hard work


You're welcome!.. :thumbup:

I'll close the thread in two weeks...
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#26 mien Gemini

mien Gemini

    Member

  • Full Member
  • Pip
  • 83 posts

Posted 31 May 2008 - 11:04 AM

Sure,

Thanks again, i will reply this thread if i have got problems again.

#27 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 12 June 2008 - 11:00 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button