Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Another day, another chump with an infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Another day, another chump with an infection

Unread postby billbonic » November 15th, 2007, 8:13 am

Hey guys,
I have been having a real headache with this one.
Already taken all the recommended actions. Am running Zone Alarm, Norton, and AVG anti-spyware. None has been able to fix the problem. Tried messing around with it in safe mode, still nothing.

The main cuplrit seems to be downloader.hmir.fq, though I am certain there are others

Here is my logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:08 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\chen\「开始」菜单\程序\启动\msn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\chen\桌面\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D31AD8B6-E1D2-4C53-8A13-4037621CC510} - C:\WINDOWS\system32\ssqpm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6ac91.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - est2015.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6835 bytes

Ayudome!
One more thing. I am in China and my version of Windows is in Chinese, so if I need to do anything advanced please include a description of how to get there as I cannot easily navigate the windows.
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top
Advertisement
Register to Remove

Re: Another day, another chump with an infection

Unread postby Katana » November 16th, 2007, 10:29 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download and Run ComboFix
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 17th, 2007, 1:40 am

Combofix log, (read from notepad?)
隦怤TFS  ?  ? € € `覇 &mh  ='郍'鄋 ?缼屑 |?庁?
幚3燮 鑃 h
hj藠$ ??s?婑f镀@f堆€?麾喭理Af飞f麽f? 么A华U?$ ?r侞U猽 隽t? 胒`f? f f; ? fj fPSfh  €> ? 璩€> 刟 碆?$ 嬼?fX[fXfX?f3襢? f黢娛f嬓f陵? 喼?$ 婅冷
谈?? 尷 幚f  卭fa脿?? 狖? 嬸? t ?? ?腧?
A disk read error occurred
NTLDR is missing
NTLDR is compressed
Press Ctrl+Alt+Del to restart
儬成 U

Vunofix log:

VundoFix V6.5.11

Checking Java version...

Sun Java not detected
Scan started at 2:33:51 AM 11/11/2007

Listing files found while scanning....


VundoFix V6.5.11

Checking Java version...

Sun Java not detected
Scan started at 1:04:05 AM 11/13/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.11

Checking Java version...

Sun Java not detected
Scan started at 下午 05:02:14 2007-11-15

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 12:28:49 PM 11/17/2007

Listing files found while scanning....

C:\windows\system32\mpqss.bak1
C:\windows\system32\mpqss.bak2
C:\windows\system32\mpqss.ini
C:\windows\system32\ssqpm.dll

Beginning removal...

Attempting to delete C:\windows\system32\mpqss.bak1
C:\windows\system32\mpqss.bak1 Has been deleted!

Attempting to delete C:\windows\system32\mpqss.bak2
C:\windows\system32\mpqss.bak2 Has been deleted!

Attempting to delete C:\windows\system32\mpqss.ini
C:\windows\system32\mpqss.ini Has been deleted!

Attempting to delete C:\windows\system32\ssqpm.dll
C:\windows\system32\ssqpm.dll Has been deleted!

Performing Repairs to the registry.
Done!

Hijackthis log, part 2:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39, on 2007-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\chen\「开始」菜单\程序\启动\msn.exe
C:\WINDOWS\system32\6ac91.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chen\桌面\HJT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3930D164-6564-4099-A33E-2DD4DFBC4669} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Invoke Class - {3AA0903B-1E13-4865-B114-15792D413C41} - C:\WINDOWS\system32\06a1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {96BEE5B7-892D-4A91-82F8-17C585B67D8C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - est2015.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7765 bytes
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby Katana » November 17th, 2007, 10:10 am

Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\6ac91.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O2 - BHO: (no name) - {3930D164-6564-4099-A33E-2DD4DFBC4669} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Invoke Class - {3AA0903B-1E13-4865-B114-15792D413C41} - C:\WINDOWS\system32\06a1.dll
O2 - BHO: (no name) - {96BEE5B7-892D-4A91-82F8-17C585B67D8C} - (no file)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - est2015.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 19th, 2007, 3:26 am

OKay,

From Jotti:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

Dss Log:
Main:
Deckard's System Scanner v20071014.68
Run by chen on 2007-11-19 07:37:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
52: 2007-11-18 23:37:44 UTC - RP67 - Deckard's System Scanner Restore Point
51: 2007-11-18 06:46:55 UTC - RP66 - 系统检查点
50: 2007-11-17 05:26:46 UTC - RP65 - ComboFix created restore point
49: 2007-11-16 08:47:30 UTC - RP64 - 未签署驱动程序安装
48: 2007-11-16 07:21:43 UTC - RP63 - 未签署驱动程序安装


-- First Restore Point --
1: 2007-11-09 09:41:57 UTC - RP16 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as chen.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:39, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\chen\桌面\dss.exe
C:\chen.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3930D164-6564-4099-A33E-2DD4DFBC4669} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {96BEE5B7-892D-4A91-82F8-17C585B67D8C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - est2015.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7085 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 8g0yr9zmam (8g0yr9zma) - c:\windows\system32\drivers\8g0yr9zmam.sys
R1 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HPQuick Launch Buttons>
R1 FsVga - c:\windows\system32\drivers\fsvga.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface x86 Driver>
R3 HBtnKey - c:\windows\system32\drivers\cpqbttn.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>
R3 HSF_DPV - c:\windows\system32\drivers\hsf_dpv.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWAZL - c:\windows\system32\drivers\hsfhwazl.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S0 kl1 - c:\windows\system32\drivers\kl1.sys (file missing)
S2 enl618yqxl - c:\windows\system32\drivers\enl618yqxl.sys (file missing)
S3 catchme - c:\docume~1\chen\locals~1\temp\catchme.sys (file missing)
S3 eabusb - c:\windows\system32\drivers\eabusb.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S4 FE574465 - c:\windows\system32\1cd0c26.exe -k (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-10-19 and 2007-11-19 -----------------------------

2008-11-12 12:00:00 40960 --a------ C:\WINDOWS\system32\VBAME.DLL <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-11-12 12:00:00 15872 --a------ C:\WINDOWS\system32\SCP32.DLL <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-11-12 12:00:00 94208 --a------ C:\WINDOWS\system32\MSSTKPRP.DLL <Not Verified; Microsoft Corporation; msprop32>
2008-11-12 12:00:00 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-11-12 12:00:00 7168 --a------ C:\WINDOWS\system32\MSPRPCHS.DLL <Not Verified; Microsoft Corporation; msprop32>
2007-11-17 12:21:27 0 d-------- C:\Documents and Settings\chen\Application Data\Lavasoft
2007-11-17 11:20:37 81984 --a------ C:\WINDOWS\system32\yajwtvnd.dll
2007-11-17 11:17:37 85056 -----n--- C:\WINDOWS\system32\wqdkdbup.dll
2007-11-17 02:37:35 81984 --a------ C:\WINDOWS\system32\xcyfcigc.dll
2007-11-17 00:19:46 97792 --a------ C:\WINDOWS\system32\refresh.exe <Not Verified; http://www.refresh.com; refresh.exe>
2007-11-16 18:45:10 0 d-------- C:\Documents and Settings\chen\Application Data\DivX
2007-11-16 18:40:02 0 d-------- C:\Program Files\DivX
2007-11-16 14:51:52 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-16 14:48:56 0 d-------- C:\WINDOWS\system32\LogFiles
2007-11-16 14:48:56 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-16 09:54:07 53248 -----n--- C:\WINDOWS\system32\06a1.dll <Not Verified; ; IEHpr Module>
2007-11-16 01:41:46 85056 --a------ C:\WINDOWS\system32\cxelxrjc.dll
2007-11-16 01:38:45 79936 --a------ C:\WINDOWS\system32\sefjrlih.dll
2007-11-15 20:56:05 0 d-------- C:\Program Files\Lavasoft
2007-11-15 20:55:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 20:34:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 20:30:21 0 d-------- C:\Program Files\a-squared Anti-Malware
2007-11-15 17:11:42 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-15 17:02:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-11-15 01:40:45 85056 --a------ C:\WINDOWS\system32\pbxhmhlb.dll
2007-11-14 16:55:25 0 d-------- C:\WINDOWS\A4W_DATA
2007-11-14 12:51:48 0 dr-h----- C:\Documents and Settings\chen\Recent
2007-11-14 01:51:37 0 d-------- C:\Documents and Settings\chen\??
2007-11-14 01:51:04 0 d-------- C:\Program Files\Trillian
2007-11-14 00:58:32 80448 --a------ C:\WINDOWS\system32\nlpfnqsu.dll
2007-11-14 00:58:29 0 d-------- C:\Program Files\Windows Installer Clean Up
2007-11-14 00:57:12 0 d-------- C:\Program Files\MSECACHE
2007-11-14 00:01:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2007-11-13 23:59:32 512 --a------ C:\ScanSectorLog.dat <SCANSE~1.DAT>
2007-11-13 23:53:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2007-11-13 23:52:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-13 23:51:17 0 d-------- C:\Documents and Settings\Administrator\桌面
2007-11-13 23:51:17 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-13 23:51:17 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-13 23:51:17 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-13 23:51:17 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-13 23:51:17 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-11-13 23:51:17 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-13 23:51:17 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-11-13 23:51:17 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-13 23:51:17 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-13 23:51:17 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-13 23:51:17 0 dr------- C:\Documents and Settings\Administrator\「开始」菜单
2007-11-13 23:51:16 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-13 22:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-13 22:43:05 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-13 22:18:49 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-13 22:12:21 0 d-------- C:\Documents and Settings\All Users\Application Data\ALM
2007-11-13 20:48:00 0 d-------- C:\Program Files\QuickTime
2007-11-13 19:25:37 0 d-------- C:\Program Files\Bonjour
2007-11-13 18:56:49 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-13 15:52:19 80448 --a------ C:\WINDOWS\system32\tdwokvgb.dll
2007-11-13 02:44:55 84 --a------ C:\WINDOWS\-95-6868-102
2007-11-12 15:52:10 81472 --a------ C:\WINDOWS\system32\mannjxeb.dll
2007-11-11 13:08:30 0 d-------- C:\Program Files\Winamp
2007-11-11 10:35:35 0 d-------- C:\Documents and Settings\chen\Application Data\MailFrontier
2007-11-11 10:32:20 76320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 10:32:20 731168 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 10:14:14 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-11 10:13:48 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-11-11 10:13:10 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-11 10:12:38 0 d-------- C:\WINDOWS\Internet Logs
2007-11-11 10:07:32 0 d-------- C:\Documents and Settings\chen\Application Data\WinRAR
2007-11-11 02:37:21 0 d-------- C:\Documents and Settings\chen\Application Data\Grisoft
2007-11-11 02:34:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 02:33:51 0 d-------- C:\VundoFix Backups <VUNDOF~1>
2007-11-11 02:27:24 0 d-------- C:\Program Files\Yahoo!
2007-11-11 02:27:14 0 d-------- C:\Program Files\CCleaner
2007-11-09 18:35:37 0 d-------- C:\Program Files\М?crosoft
2007-11-09 18:32:23 0 d-------- C:\Program Files\Common Files\?уstem32
2007-11-09 18:02:15 0 d-------- C:\Program Files\Microsoft Works
2007-11-09 18:02:02 0 d-------- C:\Program Files\MSBuild
2007-11-09 17:50:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-09 17:48:00 0 dr-h----- C:\MSOCache
2007-11-09 17:10:42 0 d-------- C:\Program Files\Common Files\xing shared
2007-11-09 17:10:18 0 d-------- C:\Program Files\Real
2007-11-09 17:10:18 0 d-------- C:\Documents and Settings\chen\Application Data\Real
2007-11-09 14:00:48 0 d-------- C:\Program Files\uTorrent
2007-11-09 14:00:43 0 d-------- C:\Documents and Settings\chen\Application Data\uTorrent
2007-11-08 19:36:14 1405 --a------ C:\WINDOWS\mozver.dat
2007-11-08 18:47:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-08 18:47:04 0 d-------- C:\Documents and Settings\chen\Application Data\Mozilla
2007-11-08 08:17:34 20541 --a------ C:\WINDOWS\system32\detoured.dll <Not Verified; Microsoft Corporation; Microsoft Research Detours Package>
2007-11-08 08:17:34 0 d-------- C:\Program Files\Windows Live
2007-11-08 08:17:34 0 d-a------ C:\Program Files\MSN Messenger
2007-11-08 08:17:34 0 d-------- C:\Program Files\Incesoft
2007-11-07 15:12:13 0 d-------- C:\Documents and Settings\chen\Application Data\QQUpdate
2007-11-07 15:08:19 0 d-------- C:\Documents and Settings\chen\Application Data\QQ
2007-11-07 14:06:55 68 --a------ C:\WINDOWS\system32\fc5a
2007-11-07 13:36:54 68 --a------ C:\WINDOWS\system32\efd
2007-11-07 13:06:53 68 --a------ C:\WINDOWS\system32\ec4
2007-11-07 12:36:52 68 --a------ C:\WINDOWS\system32\dcc4
2007-11-07 12:06:51 68 --a------ C:\WINDOWS\system32\cc45c1
2007-11-07 11:36:50 68 --a------ C:\WINDOWS\system32\c5aec
2007-11-07 11:06:49 68 --a------ C:\WINDOWS\system32\aec4
2007-11-07 10:36:48 68 --a------ C:\WINDOWS\system32\a63
2007-11-07 02:53:23 68 --a------ C:\WINDOWS\system32\7fc
2007-11-07 02:23:22 68 --a------ C:\WINDOWS\system32\1583
2007-11-07 02:03:16 29 --a------ C:\WINDOWS\system32\-55-6868-102
2007-11-07 02:02:59 14 --a------ C:\WINDOWS\system32\-71-6868-102
2007-11-05 22:20:15 0 d-------- C:\WINDOWS
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\WinSxS
2007-11-05 22:20:15 0 dr------- C:\WINDOWS\Web
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\twain_32
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\wins
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\wbem
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\usmt
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\spool
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\ShellExt
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\Setup
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\ras
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\oobe
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\npp
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\mui
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\inetsrv
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\IME
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\icsxml
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\ias
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\export
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\drivers
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-11-05 22:20:15 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\dhcp
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\config
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\3076
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\2052
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1054
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1042
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1041
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1037
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1033
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1031
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1028
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system32\1025
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\system
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\security
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Resources
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\repair
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Provisioning
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\PeerNet
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\pchealth
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\mui
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\msapps
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\msagent
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Media
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\java
2007-11-05 22:20:15 0 d--h----- C:\WINDOWS\inf
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\ime
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Help
2007-11-05 22:20:15 0 dr--s---- C:\WINDOWS\Fonts
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\ehome
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Driver Cache
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Debug
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Cursors
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Connection Wizard
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\Config
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\AppPatch
2007-11-05 22:20:15 0 d-------- C:\WINDOWS\addins
2007-11-05 15:19:26 0 d-------- C:\WINDOWS\system32\PreInstall
2007-11-05 15:19:24 0 d--h----- C:\WINDOWS\$hf_mig$
2007-11-05 15:09:05 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-11-05 14:59:52 14592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:59:44 5760 --a------ C:\WINDOWS\system32\drivers\EabUsb.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>
2007-11-05 14:59:44 7808 --a------ C:\WINDOWS\system32\drivers\eabfiltr.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HPQuick Launch Buttons>
2007-11-05 14:59:44 9344 --a------ C:\WINDOWS\system32\drivers\CPQBttn.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>
2007-11-05 14:59:44 987136 --a------ C:\WINDOWS\system32\BttnCmn.dll <Not Verified; Hewlett-Packard Company; Q Menu>
2007-11-05 14:59:43 0 d-------- C:\Program Files\Hewlett-Packard
2007-11-05 14:57:42 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-11-05 14:57:38 69722 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2007-11-05 14:57:38 81920 --a------ C:\WINDOWS\system32\SynTPCo2.dll <Not Verified; Synaptics, Inc.; Synaptics Pointing Device Driver>
2007-11-05 14:57:38 94298 --a------ C:\WINDOWS\system32\SynTPAPI.dll <Not Verified; Synaptics, Inc.; Synaptics Pointing Device Driver>
2007-11-05 14:57:38 193056 --a------ C:\WINDOWS\system32\drivers\SynTP.sys <Not Verified; Synaptics, Inc.; Synaptics Pointing Device Driver>
2007-11-05 14:57:37 114688 --a------ C:\WINDOWS\system32\SynCtrl.dll <Not Verified; Synaptics, Inc.; Synaptics ActiveX Control>
2007-11-05 14:57:37 82013 --a------ C:\WINDOWS\system32\SynCOM.dll <Not Verified; Synaptics, Inc.; COM SDK>
2007-11-05 14:57:37 0 d-------- C:\Program Files\Synaptics
2007-11-05 14:56:32 0 d-------- C:\WINDOWS\nview
2007-11-05 14:55:15 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:55:10 82944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:55:08 52864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:55:03 54272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:54:59 172416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:54:58 2944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:54:57 60800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:54:55 7552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:54:54 4992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:54:52 5376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:54:33 4096 --a------ C:\WINDOWS\system32\ksuser.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:54:33 60288 --a------ C:\WINDOWS\system32\drivers\drmk.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:54:17 0 d-------- C:\Program Files\CONEXANT
2007-11-05 14:53:03 569856 --a------ C:\WINDOWS\system32\drivers\CHDAud.sys <Not Verified; Conexant Systems Inc.; Conexant HDAudio Driver>
2007-11-05 14:52:46 0 d-------- C:\Program Files\HPQ
2007-11-05 14:52:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-05 14:52:41 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-05 14:52:38 118784 --a------ C:\WINDOWS\system32\uci32105.dll <Not Verified; Conexant Systems, Inc; Conexant Unified x86 Device CoInstaller>
2007-11-05 14:52:38 86016 --a------ C:\WINDOWS\system32\mdmxsdk.dll <Not Verified; Conexant; Diagnostic Interface x86 DLL>
2007-11-05 14:52:38 12672 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface x86 Driver>
2007-11-05 14:52:37 206976 --a------ C:\WINDOWS\system32\drivers\HSFHWAZL.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
2007-11-05 14:52:37 995712 --a------ C:\WINDOWS\system32\drivers\HSF_DPV.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
2007-11-05 14:52:37 726400 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
2007-11-05 14:52:36 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2007-11-05 14:52:36 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-11-05 14:52:35 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-11-05 14:52:35 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-11-05 14:52:34 1466368 --a------ C:\WINDOWS\system32\nview.dll
2007-11-05 14:52:34 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-11-05 14:52:32 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-11-05 14:52:32 98304 --a------ C:\WINDOWS\system32\nvapi.dll
2007-11-05 14:52:31 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-11-05 14:52:17 0 d-------- C:\SWSETUP
2007-11-05 14:44:53 0 d-------- C:\Documents and Settings\chen\Application Data\Identities
2007-11-05 14:44:44 0 d-------- C:\Documents and Settings\chen\桌面
2007-11-05 14:44:44 0 d--h----- C:\Documents and Settings\chen\Templates
2007-11-05 14:44:44 0 dr-h----- C:\Documents and Settings\chen\SendTo
2007-11-05 14:44:44 0 d--h----- C:\Documents and Settings\chen\PrintHood
2007-11-05 14:44:44 3932160 --ah----- C:\Documents and Settings\chen\NTUSER.DAT
2007-11-05 14:44:44 0 d--h----- C:\Documents and Settings\chen\NetHood
2007-11-05 14:44:44 0 dr------- C:\Documents and Settings\chen\My Documents
2007-11-05 14:44:44 0 d--h----- C:\Documents and Settings\chen\Local Settings
2007-11-05 14:44:44 0 dr------- C:\Documents and Settings\chen\Favorites
2007-11-05 14:44:44 0 d---s---- C:\Documents and Settings\chen\Cookies
2007-11-05 14:44:44 0 dr-h----- C:\Documents and Settings\chen\Application Data
2007-11-05 14:44:44 0 dr------- C:\Documents and Settings\chen\「开始」菜单
2007-11-05 14:43:15 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-11-05 14:43:13 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-11-05 14:43:13 0 d-------- C:\WINDOWS\Prefetch
2007-11-05 14:43:12 1572864 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-11-05 14:43:12 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-11-05 14:43:12 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-11-05 14:43:12 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-11-05 14:43:12 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-11-05 14:42:47 1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-11-05 14:42:47 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-11-05 14:42:47 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-11-05 14:42:47 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-11-05 14:42:47 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-11-05 14:39:52 0 d-------- C:\WINDOWS\system32\xircom
2007-11-05 14:39:52 0 d-------- C:\Program Files\microsoft frontpage
2007-11-05 14:39:38 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-11-05 14:39:30 0 -rahs---- C:\MSDOS.SYS
2007-11-05 14:39:30 0 -rahs---- C:\IO.SYS
2007-11-05 14:39:30 0 --a------ C:\CONFIG.SYS
2007-11-05 14:39:30 0 --a------ C:\AUTOEXEC.BAT
2007-11-05 14:39:13 112128 --a------ C:\WINDOWS\system32\mapi32.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:38:26 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-11-05 14:38:16 0 dr------- C:\WINDOWS\Offline Web Pages
2007-11-05 14:38:16 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-11-05 14:38:05 0 d--h----- C:\Program Files\WindowsUpdate
2007-11-05 14:38:00 0 d-------- C:\Program Files\Online Services
2007-11-05 14:37:43 0 d-------- C:\WINDOWS\system32\DirectX
2007-11-05 14:37:25 11264 --a------ C:\WINDOWS\system32\atrace.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:37:17 12288 --a------ C:\WINDOWS\system32\nmevtmsg.dll <Not Verified; Microsoft Corporation; Windows(R) NetMeeting(R)>
2007-11-05 14:37:16 64512 --a------ C:\WINDOWS\system32\acctres.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:37:13 0 d---s---- C:\WINDOWS\Tasks
2007-11-05 14:37:13 16384 --a------ C:\WINDOWS\system32\icfgnt5.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:37:12 0 d-------- C:\Program Files\Common Files\MSSoap
2007-11-05 14:37:09 0 d-------- C:\WINDOWS\srchasst
2007-11-05 14:37:08 0 d-------- C:\WINDOWS\system32\Macromed
2007-11-05 14:37:05 6656 --a------ C:\WINDOWS\system32\wuauserv.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:37:05 180224 --a------ C:\WINDOWS\system32\wuaueng1.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:37:05 158720 --a------ C:\WINDOWS\system32\wuauclt1.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:37:04 18944 --a------ C:\WINDOWS\system32\qmgrprxy.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:37:04 381952 --a------ C:\WINDOWS\system32\qmgr.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:37:04 7168 --a------ C:\WINDOWS\system32\bitsprx3.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:37:04 8192 --a------ C:\WINDOWS\system32\bitsprx2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:37:00 0 d-------- C:\Program Files\Movie Maker
2007-11-05 14:36:57 45568 --a------ C:\WINDOWS\system32\safrslv.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:36:57 29696 --a------ C:\WINDOWS\system32\safrdm.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:57 43520 --a------ C:\WINDOWS\system32\safrcdlg.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:57 43008 --a------ C:\WINDOWS\system32\racpldlg.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:54 233984 --a------ C:\WINDOWS\system32\srrstr.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:54 0 d-------- C:\WINDOWS\system32\Restore
2007-11-05 14:36:54 23040 --a------ C:\WINDOWS\system32\fltmc.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:36:54 16896 --a------ C:\WINDOWS\system32\fltlib.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:36:54 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:36:53 168960 --a------ C:\WINDOWS\system32\srsvc.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:53 67072 --a------ C:\WINDOWS\system32\srclient.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:53 34560 --a------ C:\WINDOWS\system32\mnmdd.dll <Not Verified; Microsoft Corporation; Windows? NetMeeting?>
2007-11-05 14:36:53 32768 --a------ C:\WINDOWS\system32\isrdbg32.dll <Not Verified; Intel Corporation; ISRDBG32.DLL>
2007-11-05 14:36:53 81920 --a------ C:\WINDOWS\system32\ils.dll <Not Verified; Microsoft Corporation; Windows? NetMeeting?>
2007-11-05 14:36:53 73216 --a------ C:\WINDOWS\system32\drivers\sr.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:52 28672 --a------ C:\WINDOWS\system32\nmmkcert.dll <Not Verified; Microsoft Corporation; Windows? NetMeeting?>
2007-11-05 14:36:52 69632 --a------ C:\WINDOWS\system32\msconf.dll <Not Verified; Microsoft Corporation; Windows? NetMeeting?>
2007-11-05 14:36:52 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows? NetMeeting?>
2007-11-05 14:36:50 105984 --a------ C:\WINDOWS\system32\msoert2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:36:50 252928 --a------ C:\WINDOWS\system32\msoeacct.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:49 38912 --a------ C:\WINDOWS\system32\inetres.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:47 185344 --a------ C:\WINDOWS\system32\schedsvc.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:47 11776 --a------ C:\WINDOWS\system32\mstinit.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:47 260608 --a------ C:\WINDOWS\system32\mstask.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:47 65536 --a------ C:\WINDOWS\system32\icwphbk.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:47 65536 --a------ C:\WINDOWS\system32\icwdial.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:46 73728 --a------ C:\WINDOWS\system32\isign32.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:46 253952 --a------ C:\WINDOWS\system32\inetcfg.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:36:08 21464 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-11-05 14:35:49 0 d-------- C:\WINDOWS\Registration
2007-11-05 14:35:33 0 d-------- C:\Program Files\Messenger
2007-11-05 14:35:30 5632 --a------ C:\WINDOWS\system32\write.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:30 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-05 14:35:21 138752 --a------ C:\WINDOWS\system32\sndvol32.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:21 44544 --a------ C:\WINDOWS\system32\hticons.dll <Not Verified; Hilgraeve, Inc.; Microsoft? Windows? Operating System>
2007-11-05 14:35:21 73216 --a------ C:\WINDOWS\system32\avwav.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:21 227840 --a------ C:\WINDOWS\system32\avtapi.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:21 16384 --a------ C:\WINDOWS\system32\avmeter.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:20 35328 --a------ C:\WINDOWS\system32\winchat.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:14 56832 --a------ C:\WINDOWS\system32\sol.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:14 605696 --a------ C:\WINDOWS\system32\getuname.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:14 80384 --a------ C:\WINDOWS\system32\charmap.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:14 114688 --a------ C:\WINDOWS\system32\calc.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:13 1048 --a------ C:\WINDOWS\system32\usrlogon.cmd
2007-11-05 14:35:13 19456 --a------ C:\WINDOWS\system32\tsshutdn.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:13 18432 --a------ C:\WINDOWS\system32\tskill.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:13 10752 --a------ C:\WINDOWS\system32\reset.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:13 126976 --a------ C:\WINDOWS\system32\mshearts.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:13 55296 --a------ C:\WINDOWS\system32\freecell.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 16896 --a------ C:\WINDOWS\system32\tsdiscon.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 17408 --a------ C:\WINDOWS\system32\tscon.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 16896 --a------ C:\WINDOWS\system32\shadow.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 17920 --a------ C:\WINDOWS\system32\rwinsta.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 33792 --a------ C:\WINDOWS\system32\regini.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:12 4096 --a------ C:\WINDOWS\system32\rdpcfgex.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 26624 --a------ C:\WINDOWS\system32\qwinsta.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 18944 --a------ C:\WINDOWS\system32\qappsrv.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 24576 --a------ C:\WINDOWS\system32\msg.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 17408 --a------ C:\WINDOWS\system32\logoff.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:12 15872 --a------ C:\WINDOWS\system32\cdmodem.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:11 25088 --a------ C:\WINDOWS\system32\mtxlegih.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:11 4096 --a------ C:\WINDOWS\system32\mtxex.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:11 20480 --a------ C:\WINDOWS\system32\mtxdm.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:11 5120 --a------ C:\WINDOWS\system32\dcomcnfg.exe <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:11 97792 --a------ C:\WINDOWS\system32\comrepl.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:11 25600 --a------ C:\WINDOWS\system32\comaddin.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:10 54272 --a------ C:\WINDOWS\system32\stclient.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:10 147456 --a------ C:\WINDOWS\system32\comsnap.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:05 127488 --a------ C:\WINDOWS\system32\sndrec32.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:05 169472 --a------ C:\WINDOWS\system32\accwiz.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:04 332288 --a------ C:\WINDOWS\system32\mspaint.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:04 119808 --a------ C:\WINDOWS\system32\mplay32.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:04 333824 --a------ C:\WINDOWS\system32\hypertrm.dll <Not Verified; Hilgraeve, Inc.; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:04 0 d-------- C:\Program Files\Windows NT
2007-11-05 14:35:03 93184 --a------ C:\WINDOWS\system32\tscfgwmi.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:03 537088 --a------ C:\WINDOWS\system32\spider.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:03 21896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:03 12040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:03 139528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:03 96768 --a------ C:\WINDOWS\system32\clipbrd.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:02 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:02 285696 --a------ C:\WINDOWS\system32\termsrv.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:02 136704 --a------ C:\WINDOWS\system32\sessmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:02 57344 --a------ C:\WINDOWS\system32\remotepg.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:02 67072 --a------ C:\WINDOWS\system32\rdshost.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:02 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:02 147968 --a------ C:\WINDOWS\system32\rdchost.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:02 655360 --a------ C:\WINDOWS\system32\mstscax.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:02 390144 --a------ C:\WINDOWS\system32\mstsc.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:01 87176 --a------ C:\WINDOWS\system32\rdpwsx.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:01 19968 --a------ C:\WINDOWS\system32\rdpsnd.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:01 62464 --a------ C:\WINDOWS\system32\rdpclip.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:01 22528 --a------ C:\WINDOWS\system32\qprocess.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:01 91136 --a------ C:\WINDOWS\system32\mtxoci.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:35:01 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-11-05 14:35:01 426496 --a------ C:\WINDOWS\system32\msdtcprx.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-11-05 14:35:01 0 d-------- C:\WINDOWS\system32\MsDtc
2007-11-05 14:35:01 11264 --a------ C:\WINDOWS\system32\icaapi.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:35:01 38400 --a------ C:\WINDOWS\system32\cfgbkend.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:35:00 11776 --a------ C:\WINDOWS\system32\xolehlp.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-11-05 14:35:00 956416 --a------ C:\WINDOWS\system32\msdtctm.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-11-05 14:35:00 58880 --a------ C:\WINDOWS\system32\msdtclog.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-11-05 14:35:00 6144 --a------ C:\WINDOWS\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-11-05 14:34:59 1267200 --a------ C:\WINDOWS\system32\comsvcs.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:59 0 d-------- C:\WINDOWS\system32\Com
2007-11-05 14:34:59 60416 --a------ C:\WINDOWS\system32\colbact.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:59 110080 --a------ C:\WINDOWS\system32\clbcatex.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:59 625152 --a------ C:\WINDOWS\system32\catsrvut.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:59 85504 --a------ C:\WINDOWS\system32\catsrvps.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:59 225792 --a------ C:\WINDOWS\system32\catsrv.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:58 540160 --a------ C:\WINDOWS\system32\comuid.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:58 498688 --a------ C:\WINDOWS\system32\clbcatq.dll <Not Verified; Microsoft Corporation; COM Services>
2007-11-05 14:34:52 55296 --a------ C:\WINDOWS\system32\servdeps.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:34:52 16896 --a------ C:\WINDOWS\system32\mmfutil.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:34:52 58880 --a------ C:\WINDOWS\system32\licwmi.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:34:52 173056 --a------ C:\WINDOWS\system32\cmprops.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:34:48 196864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:34:47 40840 --a------ C:\WINDOWS\system32\drivers\termdd.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:32:50 3072 --a------ C:\WINDOWS\system32\drivers\audstub.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:32:23 54784 --a------ C:\WINDOWS\system32\drivers\redbook.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:32:02 9344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:32:01 16000 --a------ C:\WINDOWS\system32\drivers\battc.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:32:00 14080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:31:23 65024 --a------ C:\WINDOWS\system32\usbui.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:31:08 8832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:30:30 0 d--hs---- C:\WINDOWS\Installer
2007-11-05 14:30:29 0 d-------- C:\Program Files\Common Files\ODBC
2007-11-05 14:30:26 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-11-05 14:30:25 0 dr------- C:\Program Files <PROGRA~1>
2007-11-05 14:30:25 0 d-------- C:\Program Files\Common Files
2007-11-05 14:29:55 185344 --a------ C:\WINDOWS\system32\Thawbrkr.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdvntc.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdintel.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdintam.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 6144 -ra------ C:\WINDOWS\system32\kbdinpun.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdinmar.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdinkan.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdinhin.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdinguj.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5632 -ra------ C:\WINDOWS\system32\kbdindev.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5120 -ra------ C:\WINDOWS\system32\kbdgeo.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5120 -ra------ C:\WINDOWS\system32\kbdarmw.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 5120 -ra------ C:\WINDOWS\system32\kbdarme.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:55 10752 --a------ C:\WINDOWS\system32\c_iscii.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 --a------ C:\WINDOWS\system32\kbdusa.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbdurdu.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbdsyr2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbdsyr1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbdfa.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbddiv2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbddiv1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbda3.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbda2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:53 5632 -ra------ C:\WINDOWS\system32\kbda1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:50 5632 -ra------ C:\WINDOWS\system32\kbdheb.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:47 6144 -ra------ C:\WINDOWS\system32\kbdth3.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:47 6144 -ra------ C:\WINDOWS\system32\kbdth2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:47 5632 -ra------ C:\WINDOWS\system32\kbdth1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:47 5632 -ra------ C:\WINDOWS\system32\kbdth0.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:47 6144 --a------ C:\WINDOWS\system32\ftlx041e.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:42 6144 -ra------ C:\WINDOWS\system32\kbdtuq.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:42 6144 -ra------ C:\WINDOWS\system32\kbdtuf.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:42 5632 -ra------ C:\WINDOWS\system32\kbdazel.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:41 5632 -ra------ C:\WINDOWS\system32\kbdmon.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:41 5632 -ra------ C:\WINDOWS\system32\kbdkyr.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 8192 -ra------ C:\WINDOWS\system32\kbdhept.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 6656 -ra------ C:\WINDOWS\system32\kbdhela3.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 6144 -ra------ C:\WINDOWS\system32\kbdhela2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 5632 -ra------ C:\WINDOWS\system32\kbdhe319.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 5632 -ra------ C:\WINDOWS\system32\kbdhe220.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 5632 -ra------ C:\WINDOWS\system32\kbdhe.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:39 6144 -ra------ C:\WINDOWS\system32\kbdgkl.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:37 6144 -ra------ C:\WINDOWS\system32\kbdlv1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:37 6144 -ra------ C:\WINDOWS\system32\kbdlv.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:37 5632 -ra------ C:\WINDOWS\system32\kbdlt1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:37 5632 -ra------ C:\WINDOWS\system32\kbdlt.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:37 6144 -ra------ C:\WINDOWS\system32\kbdest.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:36 6656 -ra------ C:\WINDOWS\system32\kbdsl1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:36 6656 -ra------ C:\WINDOWS\system32\kbdsl.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:36 5632 -ra------ C:\WINDOWS\system32\kbdro.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\kbdycl.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 5632 -ra------ C:\WINDOWS\system32\kbdpl1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\kbdpl.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 5632 -ra------ C:\WINDOWS\system32\kbdhu1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\kbdhu.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\kbdcz2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\kbdcz1.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 7168 -ra------ C:\WINDOWS\system32\kbdcz.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\kbdcr.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:35 6656 -ra------ C:\WINDOWS\system32\KBDAL.DLL <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:31 838144 --a------ C:\WINDOWS\system32\chtbrkr.dll <Not Verified; Microsoft Corporation; Microsoft Traditional Chinese Word Breaker>
2007-11-05 14:29:30 98304 --a------ C:\WINDOWS\system32\msir3jp.dll <Not Verified; Microsoft Corporation; Natural Language Components>
2007-11-05 14:29:30 70656 --a------ C:\WINDOWS\system32\korwbrkr.dll <Not Verified; Microsoft Corporation; Korean WordBreaker>
2007-11-05 14:29:20 218112 --a------ C:\WINDOWS\system32\c_g18030.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:19 6144 --a------ C:\WINDOWS\system32\kbd101a.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 7680 --a------ C:\WINDOWS\system32\kbdnecNT.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 9216 --a------ C:\WINDOWS\system32\kbdnecAT.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 7168 --a------ C:\WINDOWS\system32\kbdnec95.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 6144 --a------ C:\WINDOWS\system32\kbdlk41j.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 6656 --a------ C:\WINDOWS\system32\kbdlk41a.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 7168 --a------ C:\WINDOWS\system32\kbdibm02.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 6144 --a------ C:\WINDOWS\system32\kbdax2.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 6144 --a------ C:\WINDOWS\system32\kbd106n.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 6144 --a------ C:\WINDOWS\system32\kbd101.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:29:09 7168 --a------ C:\WINDOWS\system32\f3ahvoas.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:46 6656 --a------ C:\WINDOWS\system32\c_is2022.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:44 76288 --a------ C:\WINDOWS\system32\uniime.dll <Not Verified; Microsoft Corporation; MicrosoftR WindowsR Operating System>
2007-11-05 14:28:44 811064 --a------ C:\WINDOWS\system32\imjp81k.dll <Not Verified; Microsoft Corporation; Microsoft IME 2002>
2007-11-05 14:28:42 8192 --a------ C:\WINDOWS\system32\kbdkor.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:42 8704 --a------ C:\WINDOWS\system32\kbdjpn.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:42 6144 --a------ C:\WINDOWS\system32\kbd106.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:42 5632 --a------ C:\WINDOWS\system32\kbd103.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:42 6144 --a------ C:\WINDOWS\system32\kbd101c.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:39 6144 --a------ C:\WINDOWS\system32\kbd101b.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:37 13312 --a------ C:\WINDOWS\system32\irclass.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:28:37 176157 --a------ C:\WINDOWS\system32\dgrpsetu.dll <Not Verified; Digi International, Inc.; Digi RealPort? Driver>
2007-11-05 14:28:36 24661 --a------ C:\WINDOWS\system32\spxcoins.dll <Not Verified; Perle Systems Ltd.; Specialix Multi-port Serial Device Class CoInstaller>
2007-11-05 14:28:36 103424 --a------ C:\WINDOWS\system32\EqnClass.Dll <Not Verified; Equinox Systems Inc.; Equinox Multiport Serial Coinstaller>
2007-11-05 14:28:36 85020 --a------ C:\WINDOWS\system32\dgsetup.dll <Not Verified; Digi International; DGSETUP Dynamic Link Library>
2007-11-05 14:28:36 9008 --a------ C:\WINDOWS\system\VER.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows(TM) Operating System>
2007-11-05 14:28:36 19200 --a------ C:\WINDOWS\system\TAPI.DLL <Not Verified; Microsoft Corporation; Microsoft?Windows(TM) Operating System>
2007-11-05 14:28:36 5120 --a------ C:\WINDOWS\system\SHELL.DLL <Not Verified; Microsoft Corporation; Microsoft?Windows(TM) Operating System>
2007-11-05 14:28:35 24064 --a------ C:\WINDOWS\system\OLESVR.DLL <Not Verified; Microsoft Corporation; Microsoft Object Linking and Embedding Libraries for Window>
2007-11-05 14:28:35 82535 --a------ C:\WINDOWS\system\OLECLI.DLL <Not Verified; Microsoft Corporation; Microsoft Object Linking and Embedding Libraries for Windows>
2007-11-05 14:28:35 126912 --a------ C:\WINDOWS\system\MSVIDEO.DLL <Not Verified; Microsoft Corporation; Microsoft Video for Windows>
2007-11-05 14:28:35 9936 --a------ C:\WINDOWS\system\LZEXPAND.DLL <Not Verified; Microsoft Corporation; Microsoft?Windows(TM) Operating System>
2007-11-05 14:28:35 32848 --a------ C:\WINDOWS\system\COMMDLG.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows(TM) 操作系统>
2007-11-05 14:28:35 109456 --a------ C:\WINDOWS\system\AVIFILE.DLL <Not Verified; Microsoft Corporation; Microsoft Windows>
2007-11-05 14:28:34 15360 --a------ C:\WINDOWS\TASKMAN.EXE <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:28:34 11264 --a------ C:\WINDOWS\system32\drivers\irenum.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:34 8704 --a------ C:\WINDOWS\system32\batt.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2007-11-05 14:28:34 69584 --a------ C:\WINDOWS\system\AVICAP.DLL <Not Verified; Microsoft Corporation; Microsoft Video for Windows>
2007-11-05 14:28:33 68768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows(TM) 操作系统>
2007-11-05 14:28:33 66560 --a------ C:\WINDOWS\NOTEPAD.EXE <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:28:32 67584 --a------ C:\WINDOWS\system32\storprop.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-11-05 14:28:23 0 d-------- C:\Documents and Settings\Default User\桌面
2007-11-05 14:28:23 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-11-05 14:28:23 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-11-05 14:28:23 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-11-05 14:28:23 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-11-05 14:28:23 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-11-05 14:28:23 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-11-05 14:28:23 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-11-05 14:28:23 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-11-05 14:28:23 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-11-05 14:28:23 0 dr------- C:\Documents and Settings\Default User\「开始」菜单
2007-11-05 14:28:23 0 d-------- C:\Documents and Settings\All Users\桌面
2007-11-05 14:28:23 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-11-05 14:28:23 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-11-05 14:28:23 0 dr------- C:\Documents and Settings\All Users\Documents
2007-11-05 14:28:23 0 dr------- C:\Documents and Settings\All Users\「开始」菜单
2007-11-05 14:28:11 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-11-05 14:28:11 0 d-------- C:\WINDOWS\system32\CatRoot
2007-11-05 14:28:05 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-11-05 14:28:05 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-11-05 14:28:05 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-11-05 14:28:05 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-11-05 14:27:42 0 d--hs---- C:\System Volume Information <SYSTEM~1>
2007-11-05 14:27:42 0 d-------- C:\Documents and Settings <DOCUME~1>
2007-10-20 08:56:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 08:54:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-10-20 08:54:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-10-20 08:54:12 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-20 08:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-20 08:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-20 08:54:10 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX?>


-- Find3M Report ---------------------------------------------------------------

2007-11-19 07:34:39 147212 --a------ C:\WINDOWS\system32\prfh0804.dat
2007-11-19 07:34:39 75018 --a------ C:\WINDOWS\system32\prfc0804.dat
2007-11-19 06:50:40 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-17 15:22:48 0 d-------- C:\Program Files\StormII
2007-11-15 13:45:11 24114 --a------ C:\WINDOWS\system32\comrcinf.dat
2007-11-15 13:45:11 369 --a------ C:\WINDOWS\system32\cmbinfo.dat
2007-11-14 14:36:23 0 d-------- C:\Documents and Settings\chen\Application Data\Adobe
2007-11-13 22:27:19 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-09 19:57:22 0 d-------- C:\Program Files\М?crosoft
2007-11-09 19:57:22 0 d-------- C:\Program Files\Common Files\?уstem32
2007-11-09 17:10:32 0 d-------- C:\Program Files\Common Files\Real
2007-11-09 17:10:22 499712 --a------ C:\WINDOWS\system32\msvcp71.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2007-11-09 17:04:20 0 d-------- C:\Documents and Settings\chen\Application Data\Macromedia
2007-11-05 14:28:23 62 --ahs---- C:\Documents and Settings\chen\Application Data\desktop.ini
2007-10-18 17:02:34 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-30 20:47:12 139264 ---h----- C:\msn.exe <Not Verified; http://www.msn.com; msncom>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3930D164-6564-4099-A33E-2DD4DFBC4669}]
C:\WINDOWS\system32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96BEE5B7-892D-4A91-82F8-17C585B67D8C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 13:01]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-02-16 14:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-09 17:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-17 22:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 22:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

C:\Documents and Settings\chen\「开始」菜单\程序\启动\
msn.exe [2007-09-30 20:47:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{867623F2-B60C-49c4-A50D-FCA697B0CC04}"= C:\WINDOWS\system32\NavCOM03.dll [2005-11-05 18:13 0]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b68dc774-8e6f-11dc-893c-0016d3a75b70}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msn.exe
explore\Command- F:\msn.exe
open\Command- F:\msn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1c10aa8-4e6a-11da-8494-0016d3a75b70}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msn.exe
explore\Command- H:\msn.exe
open\Command- H:\msn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee9f7c1d-4e13-11da-bfb9-0016d3a75b70}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msn.exe
explore\Command- F:\msn.exe
open\Command- F:\msn.exe




-- End of Deckard's System Scanner: finished at 2007-11-19 07:40:48 ------------

Extra:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: AMD Athlon(tm) 64 X2
CPU 1: AMD Athlon(tm) 64 X2
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 990.54 MiB / 458.17 MiB
Pagefile Memory (total/avail): 1619.88 MiB / 1206.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.81 MiB

C: is Fixed (NTFS) - 59.57 GiB total, 38.38 GiB free.
D: is Fixed (NTFS) - 52.21 GiB total, 51.77 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HM120JI - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - 可安装文件系统 - 59.57 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 52.21 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Security Suite Firewall v7.0.302.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.302.000 (Check Point, LTD.) Disabled Outdated
AV: Symantec AntiVirus Corporate Edition v9.0.1.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\chen\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHENGONGJI
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\chen
LOGONSERVER=\\CHENGONGJI
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 104 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\chen\LOCALS~1\Temp
TMP=C:\DOCUME~1\chen\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=CHENGONGJI
USERNAME=chen
USERPROFILE=C:\Documents and Settings\chen
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

chen (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.0 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Add or Remove Adobe Creative Suite 3 Master Collection --> C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe
Adobe After Effects CS3 --> MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}
Adobe After Effects CS3 Presets --> MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Contribute CS3 --> MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}
Adobe Creative Suite 3 Master Collection --> MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe Encore CS3 --> MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}
Adobe Encore CS3 Codecs --> MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Fireworks CS3 --> MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 --> MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content --> MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Reader 7.08 雨林木风版 --> "C:\Program Files\Adobe\Acrobat 7.0\Reader\unins000.exe"
Adobe Setup --> MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Soundbooth CS3 --> MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}
Adobe Soundbooth CS3 Codecs --> MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server --> MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -Iwis30B5a.INF
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_wis30B5m\HXFSETUP.EXE -U -Iwis30B5m.inf
HijackThis 2.0.2 --> "C:\Documents and Settings\chen\桌面\HijackThis.exe" /uninstal
HP Quick Launch Buttons 6.00 D1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe" -l0x804 -removeonly uninst
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MailFrontier Desktop --> C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\UNWISE.EXE C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\INSTMLF.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110804-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
μTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
千千静听 4.6.0 --> "C:\Program Files\TTPlayer\uninst.exe"
暴风影音2 --> C:\Program Files\StormII\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2221 / Error
Event Submitted/Written: 11/19/2007 07:34:39 AM
Event ID/Source: 3001 / LoadPerf
Event Description:
注册表中性能计数器名称字符串数值的格式不正确。
不正确的字符串是 3696,不正确的索引值是数据节中的第一个 DWORD 值,
最后的有效索引值是数据节中的第二个和第三个 DWORD 值。

Event Record #/Type2220 / Warning
Event Submitted/Written: 11/19/2007 07:34:39 AM
Event ID/Source: 2006 / LoadPerf
Event Description:
性能注册表的 LastCounter 和 LastHelp 值不正确,需要更新。
数据段中的第一个和第二个 DWORDs 是原始值,
第三个和第四个 DWORDs 是经过更新的新值。

Event Record #/Type2217 / Error
Event Submitted/Written: 11/19/2007 06:52:47 AM
Event ID/Source: 3001 / LoadPerf
Event Description:
注册表中性能计数器名称字符串数值的格式不正确。
不正确的字符串是 3696,不正确的索引值是数据节中的第一个 DWORD 值,
最后的有效索引值是数据节中的第二个和第三个 DWORD 值。

Event Record #/Type2216 / Warning
Event Submitted/Written: 11/19/2007 06:52:47 AM
Event ID/Source: 2006 / LoadPerf
Event Description:
性能注册表的 LastCounter 和 LastHelp 值不正确,需要更新。
数据段中的第一个和第二个 DWORDs 是原始值,
第三个和第四个 DWORDs 是经过更新的新值。

Event Record #/Type2207 / Error
Event Submitted/Written: 11/19/2007 06:40:57 AM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Vundo in File: C:\Documents and Settings\chen\Local Settings\Temporary Internet Files\Content.IE5\0AKU45XY\hctp[1] by: Scheduled scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Threat Found!Threat: W32.SillyFDC in File: C:\Documents and Settings\chen\「开始」菜单\程序\启动\msn.exe by: Scheduled scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Threat Found!Threat: W32.SillyFDC in File: C:\Documents and Settings\chen\桌面\backups\backup-20071115-191232-956-msn.exe by: Scheduled scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Threat Found!Threat: W32.SillyFDC in File: C:\msn.exe by: Scheduled scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3225 / Error
Event Submitted/Written: 11/19/2007 06:50:39 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
由于下列错误,SAVRT 服务启动失败:
%%31

Event Record #/Type3224 / Error
Event Submitted/Written: 11/19/2007 06:50:39 AM
Event ID/Source: 6 / SAVRT
Event Description:
Incompatible version of SYMEVENT.SYS is loaded.

Event Record #/Type3223 / Error
Event Submitted/Written: 11/19/2007 06:50:38 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
由于下列错误,Application Layer Gateway Service 服务启动失败:
%%1053

Event Record #/Type3222 / Error
Event Submitted/Written: 11/19/2007 06:49:28 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
等待 Application Layer Gateway Service 服务的连接超时(30000 毫秒)。

Event Record #/Type3209 / Error
Event Submitted/Written: 11/19/2007 06:48:57 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Automatic Updates 服务因下列错误而停止:
%%3228369022



-- End of Deckard's System Scanner: finished at 2007-11-19 07:40:48 ------------

Ran hijack this and removed the stated items.
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby Katana » November 19th, 2007, 11:11 am

Do you know what this relates to ?
C:\Documents and Settings\chen\Application Data\QQUpdate


Show All Files And Folders
Now you need to show all files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.


Flash Disinfector by sUBs
Please downloadFlash_Disinfector.exe by sUBs and save it to your desktop:


* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.

======================================================================
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it batfix.bat Please save it on your desktop.

@echo off

if exist C:\look.txt del /q C:\look.txt
if exist C:\results.txt del /q C:\results.txt

dir /A /D /s C:\WINDOWS\system32\fc5a >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\efd >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\ec4 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\dcc4 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\cc45c1 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\c5aec >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\aec4 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\a63 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\7fc >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\1583 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\-55-6868-102 >> C:\look.txt
dir /A /D /s C:\WINDOWS\system32\-71-6868-102 >> C:\look.txt
dir /A /D /s C:\WINDOWS\-95-6868-102 >> C:\look.txt

type C:\look.txt >> C:\results.txt
start notepad C:\results.txt
del /q C:\look*.txt

sc stop NVSvc
sc stop 8g0yr9zma
sc delete NVSvc
sc delete 8g0yr9zma
sc stop FE574465
sc delete FE574465
sc stop enl618yqxl
sc delete enl618yqxl
sc stop kl1
sc delete kl1

exit

Double click on batfix.bat . Notepad will open, please copy paste the contents in your reply ( a copy will be saved at C:\results.txt )

========================================================================
Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930D164-6564-4099-A33E-2DD4DFBC4669}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96BEE5B7-892D-4A91-82F8-17C585B67D8C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b68dc774-8e6f-11dc-893c-0016d3a75b70}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1c10aa8-4e6a-11da-8494-0016d3a75b70}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee9f7c1d-4e13-11da-bfb9-0016d3a75b70}]


Make sure there are NO blank lines before REGEDIT4 and ONE blank line at the end/bottom
Double click on Regfix.reg and click Yes at the prompt

======================================================================

OTMoveIt
  • Download OTMoveIt by OldTimer from here
  • Double click on OTMoveIt to start OTMoveIt
    Image
  • Untick the option to Unregister Dll's and Ocx's (1)
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard
    Code: Select all
    C:\Windows\delself.bat
C:\Windows\htmlpeek.dll
C:\Windows\svchost.exe
C:\Windows\system32\adtuosa.exe
C:\Windows\system32\cmbinfo.dat
C:\Windows\system32\comrcinf.dat
C:\Windows\system32\delself.bat
C:\Windows\system32\dodolook254.exe
C:\Windows\system32\dsgj.exe
C:\Windows\system32\edincc.dll
C:\Windows\system32\mprmsgse.axz
C:\Windows\system32\mscpx32r.det
C:\Windows\system32\my_70049.exe
C:\Windows\system32\refresh.exe
C:\Windows\system32\Com\Config.cfg
C:\Windows\system32\Com\1.0.0\WndHook.dll
C:\Windows\system32\drivers\acpidisk.sys
C:\Windows\system32\drivers\n2bg5lo.sys
C:\Windows\system32\drivers\sebm1to1h8.sys
c:\windows\system32\drivers\8g0yr9zmam.sys
C:\WINDOWS\system32\yajwtvnd.dll
C:\WINDOWS\system32\wqdkdbup.dll
C:\WINDOWS\system32\xcyfcigc.dll
C:\WINDOWS\system32\refresh.exe
C:\WINDOWS\system32\06a1.dll
C:\WINDOWS\system32\cxelxrjc.dll
C:\WINDOWS\system32\sefjrlih.dll
C:\WINDOWS\system32\pbxhmhlb.dll
C:\WINDOWS\system32\nlpfnqsu.dll
C:\WINDOWS\system32\tdwokvgb.dll
C:\WINDOWS\system32\mannjxeb.dll
C:\WINDOWS\system32\comrcinf.dat
C:\WINDOWS\system32\cmbinfo.dat
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\NavCOM03.dll
C:\msn.exe
  • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
  • Click Paste (2)
  • Click MoveIt! (3)
  • Copy and paste the contents of the results box (4) as a reply to this topic

======================================================================

The next set of folders you will have to find yourself because the full path does not display properly
Navigate to the parent folder (in blue) then Right click >> Arrange Icons >> By Name they should now be at the end of the folder.
Caution :--- Do NOT delete folders with a similar name they may be legitimate
Delete Folders
Find and delete the following Folders if present
C:\Program Files\??crosoft <<< This folder ( probably Microsoft )
C:\Program Files\Common Files\??stem32 <<< This folder (probably System32)



Please let me know how you get on
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 21st, 2007, 10:50 pm

Hey K
I was unable to find the folders, possibly because I failed to unhide them. I am using a Chinese version of windows, and the geniuses over at microsoft have designed their shitty OS such that if you have the English version (standard) than you can switch to other display languages, but if you have a foreign-language version installed, you cannot switch over to English. Fucking retarded. Anyways, I wil work on this and get back to you in a few days. In the meantime, here are the results of the other programs:

Batfix
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

fc5a
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,983,104 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

efd
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,983,104 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

ec4
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,983,104 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

dcc4
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

cc45c1
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

c5aec
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

aec4
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

a63
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

7fc
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

1583
1 个文件 68 字节

所列文件总数:
1 个文件 68 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

-55-6868-102
1 个文件 29 字节

所列文件总数:
1 个文件 29 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS\system32 的目录

-71-6868-102
1 个文件 14 字节

所列文件总数:
1 个文件 14 字节
0 个目录 41,223,979,008 可用字节
驱动器 C 中的卷没有标签。
卷的序列号是 B4F8-4ED9

C:\WINDOWS 的目录

-95-6868-102
1 个文件 84 字节

所列文件总数:
1 个文件 84 字节
0 个目录 41,223,979,008 可用字节

OTMove-it

File/Folder C:\Windows\delself.bat not found.
C:\Windows\htmlpeek.dll moved successfully.
File/Folder C:\Windows\svchost.exe not found.
File/Folder C:\Windows\system32\adtuosa.exe not found.
C:\Windows\system32\cmbinfo.dat moved successfully.
C:\Windows\system32\comrcinf.dat moved successfully.
File/Folder C:\Windows\system32\delself.bat not found.
File/Folder C:\Windows\system32\dodolook254.exe not found.
C:\Windows\system32\dsgj.exe moved successfully.
File/Folder C:\Windows\system32\edincc.dll not found.
File/Folder C:\Windows\system32\mprmsgse.axz not found.
File/Folder C:\Windows\system32\mscpx32r.det not found.
C:\Windows\system32\my_70049.exe moved successfully.
C:\Windows\system32\refresh.exe moved successfully.
C:\Windows\system32\Com\Config.cfg moved successfully.
C:\Windows\system32\Com\1.0.0\WndHook.dll moved successfully.
File/Folder C:\Windows\system32\drivers\acpidisk.sys not found.
File/Folder C:\Windows\system32\drivers\n2bg5lo.sys not found.
File/Folder C:\Windows\system32\drivers\sebm1to1h8.sys not found.
File move failed. c:\windows\system32\drivers\8g0yr9zmam.sys scheduled to be moved on reboot.
C:\WINDOWS\system32\yajwtvnd.dll moved successfully.
File/Folder C:\WINDOWS\system32\wqdkdbup.dll not found.
C:\WINDOWS\system32\xcyfcigc.dll moved successfully.
File/Folder C:\WINDOWS\system32\refresh.exe not found.
C:\WINDOWS\system32\06a1.dll moved successfully.
File/Folder C:\WINDOWS\system32\cxelxrjc.dll not found.
C:\WINDOWS\system32\sefjrlih.dll moved successfully.
File/Folder C:\WINDOWS\system32\pbxhmhlb.dll not found.
File/Folder C:\WINDOWS\system32\nlpfnqsu.dll not found.
File/Folder C:\WINDOWS\system32\tdwokvgb.dll not found.
File/Folder C:\WINDOWS\system32\mannjxeb.dll not found.
File/Folder C:\WINDOWS\system32\comrcinf.dat not found.
File/Folder C:\WINDOWS\system32\cmbinfo.dat not found.
File/Folder C:\WINDOWS\system32\ssqpm.dll not found.
C:\WINDOWS\system32\NavCOM03.dll moved successfully.
File/Folder C:\msn.exe not found.

Created on 11-20-2007 11:27:03

Thanks again
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby Katana » November 22nd, 2007, 12:30 pm

Let's give ComboFix another try.

Delete the copy you have as it has been updated.


Download and Run ComboFix
  • Download Combofix from one of the two links below and save it to your desktop
    Download 1
    Download 2
  • Then double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 26th, 2007, 9:45 am

K,
Here is the latest combofix log

ComboFix 07-11-19.3 - chen 2007-11-26 21:32:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.1.2052.18.594 [GMT 8:00]
執行位置: C:\Documents and Settings\chen\桌面\ComboFix(2).exe
* 已建立新的還原點
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\msn.exe
D:\Autorun.inf
F:\Autorun.inf
.
---- Previous Run -------
.
C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data.\t
C:\Documents and Settings\All Users\Application Data.\t\a1618.dat
C:\Documents and Settings\All Users\Application Data.\t\b1618.dat
C:\Documents and Settings\All Users\Application Data.\t\k1618.dat
C:\Documents and Settings\All Users\Application Data.\t\p1618.dat
C:\Documents and Settings\All Users\Application Data.\t\r1618.dat
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\chen\Local Settings\Application Data\baidu
C:\msn.exe
C:\Program Files\Synaptics\SynTP\Media\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\BP\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\DK\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\FI\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\FR\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\GR\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\IT\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\JP\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\KR\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\LS\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\NL\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\NO\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\SC\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\SE\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\TC\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\TH\_DESKTOP.INI
C:\Program Files\Synaptics\SynTP\Media\US\_DESKTOP.INI
C:\SWSETUP\1UAA\_desktop.ini
C:\SWSETUP\1UAA\Disk1\_desktop.ini
C:\SWSETUP\TOUCHPAD\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\BP\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\DK\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\FI\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\FR\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\GR\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\IT\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\JP\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\KR\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\LS\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\NL\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\NO\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\SC\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\SE\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\TC\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\TH\_DESKTOP.INI
C:\SWSETUP\TOUCHPAD\US\_DESKTOP.INI
C:\WINDOWS\3941.exe
C:\WINDOWS\c31.bmp
C:\WINDOWS\IGM.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000014_.tmp.dll
C:\WINDOWS\system32\_000015_.tmp.dll
C:\WINDOWS\system32\_000018_.tmp.dll
C:\WINDOWS\system32\dodolook254.exe
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\f01.dll
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\TEMP.\~my1.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ACPIDISK
-------\LEGACY_BDGUARD
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_MS_2FAX
-------\LEGACY_MXDISPDR
-------\acpidisk
-------\ms_2fax
-------\mxdispdr


-------\LEGACY_MS_2FAX


(((((((((((((((((((((((((((( 2007-10-26 - 2007-11-26 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-11-19 07:39 401,720 --a------ C:\chen.exe
2007-11-17 12:21 <DIR> d-------- C:\Documents and Settings\chen\Application Data\Lavasoft
2007-11-17 11:17 354 ---hs---- C:\WINDOWS\system32\pubdkdqw.ini
2007-11-17 02:31 294 ---hs---- C:\WINDOWS\system32\lnduttoy.ini
2007-11-16 18:45 <DIR> d-------- C:\Documents and Settings\chen\Application Data\DivX
2007-11-16 18:40 <DIR> d-------- C:\Program Files\DivX
2007-11-16 18:40 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-16 18:40 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-16 18:36 1,786 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2007-11-16 14:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-16 14:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-16 14:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-16 01:42 294 ---hs---- C:\WINDOWS\system32\cjrxlexc.ini
2007-11-15 20:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-15 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 20:30 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-11-15 01:41 671,522 ---hs---- C:\WINDOWS\system32\blhmhxbp.ini
2007-11-14 16:55 <DIR> d-------- C:\WINDOWS\A4W_DATA
2007-11-14 01:51 <DIR> d-------- C:\Program Files\Trillian
2007-11-14 01:51 <DIR> d-------- C:\Documents and Settings\chen\.
2007-11-14 00:58 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-11-14 00:57 <DIR> d-------- C:\Program Files\MSECACHE
2007-11-13 23:59 512 --a------ C:\ScanSectorLog.dat
2007-11-13 23:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2007-11-13 23:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-13 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\桌面
2007-11-13 23:51 <DIR> dr------- C:\Documents and Settings\Administrator\「开始」菜单
2007-11-13 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-13 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-13 22:18 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2007-11-13 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2007-11-13 20:48 <DIR> d-------- C:\Program Files\QuickTime
2007-11-13 20:18 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-11-13 20:18 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-11-13 19:25 <DIR> d-------- C:\Program Files\Bonjour
2007-11-13 18:56 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 15:53 660,023 ---hs---- C:\WINDOWS\system32\toiknmbu.ini
2007-11-11 13:08 <DIR> d-------- C:\Program Files\Winamp
2007-11-11 13:08 43,528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-11 10:35 <DIR> d-------- C:\Documents and Settings\chen\Application Data\MailFrontier
2007-11-11 10:32 731,168 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 10:32 76,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 10:32 12,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 10:32 10,316 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-11 10:32 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-11 10:14 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-11 10:13 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-11-11 10:13 49,404 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-11-11 10:13 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-11 10:12 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-11 05:54 714 ---hs---- C:\WINDOWS\system32\ondampav.ini
2007-11-11 02:37 <DIR> d-------- C:\Documents and Settings\chen\Application Data\Grisoft
2007-11-11 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 02:34 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-11 02:33 <DIR> d-------- C:\VundoFix Backups
2007-11-11 02:27 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-11 02:27 <DIR> d-------- C:\Program Files\CCleaner
2007-11-11 02:18 401,720 --a------ C:\blarney.exe
2007-11-10 05:48 534 ---hs---- C:\WINDOWS\system32\tbwacwuf.ini
2007-11-09 18:35 <DIR> d-------- C:\Program Files\М?crosoft
2007-11-09 18:32 <DIR> d-------- C:\Program Files\Common Files\?уstem32
2007-11-09 18:20 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-11-09 18:02 <DIR> d-------- C:\Program Files\MSBuild
2007-11-09 18:02 <DIR> d-------- C:\Program Files\Microsoft Works
2007-11-09 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-09 17:48 <DIR> dr-h----- C:\MSOCache
2007-11-09 17:35 36,864 --a------ C:\WINDOWS\system32\awtuvsp.dll.vir
2007-11-09 17:10 <DIR> d-------- C:\Program Files\Real
2007-11-09 17:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-09 14:00 <DIR> d-------- C:\Program Files\uTorrent
2007-11-09 14:00 <DIR> d-------- C:\Documents and Settings\chen\Application Data\uTorrent
2007-11-08 08:17 <DIR> d-------- C:\Program Files\Windows Live
2007-11-08 08:17 <DIR> d-a------ C:\Program Files\MSN Messenger
2007-11-08 08:17 <DIR> d-------- C:\Program Files\Incesoft
2007-11-08 08:17 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-11-07 15:12 <DIR> d-------- C:\Documents and Settings\chen\Application Data\QQUpdate
2007-11-07 15:08 <DIR> d-------- C:\Documents and Settings\chen\Application Data\QQ
2007-11-07 14:06 68 --a------ C:\WINDOWS\system32\fc5a
2007-11-07 13:36 68 --a------ C:\WINDOWS\system32\efd
2007-11-07 13:06 68 --a------ C:\WINDOWS\system32\ec4
2007-11-07 12:36 68 --a------ C:\WINDOWS\system32\dcc4
2007-11-07 12:06 68 --a------ C:\WINDOWS\system32\cc45c1
2007-11-07 11:36 68 --a------ C:\WINDOWS\system32\c5aec
2007-11-07 11:06 68 --a------ C:\WINDOWS\system32\aec4
2007-11-07 10:36 68 --a------ C:\WINDOWS\system32\a63
2007-11-07 02:53 68 --a------ C:\WINDOWS\system32\7fc
2007-11-07 02:23 68 --a------ C:\WINDOWS\system32\1583
2007-11-07 02:06 135,168 --a------ C:\WINDOWS\system32\06a1.dlltmp
2007-11-07 02:03 29 --a------ C:\WINDOWS\system32\-55-6868-102
2007-11-07 02:02 79 --a------ C:\WINDOWS\system32\mstacim.sig
2007-11-07 02:02 14 --a------ C:\WINDOWS\system32\-71-6868-102

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 08:31 --------- d-----w C:\Program Files\StormII
2007-11-20 02:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-13 14:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-09 11:57 --------- d-----w C:\Program Files\Common Files\?уstem32
2007-11-09 09:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-11-09 09:10 --------- d-----w C:\Program Files\Common Files\Real
2007-11-05 06:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 06:59 --------- d-----w C:\Program Files\HPQ
2007-11-05 06:59 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-05 06:57 --------- d-----w C:\Program Files\Synaptics
2007-11-05 06:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-05 06:54 --------- d-----w C:\Program Files\CONEXANT
2007-11-05 06:39 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-05 06:38 --------- d-----w C:\Program Files\Online Services
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-30 12:47 139,264 ---h--w C:\msn.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-17_13.36.28.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 10:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 08:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-17 05:18:31 41,034 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-26 12:33:08 41,034 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-17 05:18:31 314,696 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-26 12:33:08 314,696 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-17 05:18:31 67,796 ----a-w C:\WINDOWS\system32\prfc0804.dat
+ 2007-11-26 12:33:08 78,786 ----a-w C:\WINDOWS\system32\prfc0804.dat
- 2007-11-17 05:18:31 141,646 ----a-w C:\WINDOWS\system32\prfh0804.dat
+ 2007-11-26 12:33:08 150,116 ----a-w C:\WINDOWS\system32\prfh0804.dat
- 2007-11-16 16:19:51 6,735,429 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-11-24 14:51:18 6,850,081 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 22:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 13:01]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-02-16 14:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-09 17:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-17 22:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-17 22:00 C:\WINDOWS\system32\ctfmon.exe]

C:\Documents and Settings\chen\「开始」菜单\程序\启动\
msn.exe [2007-09-30 20:47:12]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{867623F2-B60C-49c4-A50D-FCA697B0CC04}"= C:\WINDOWS\system32\NavCOM03.dll [ ]
C:\WINDOWS\system32\NavLogon.dll 2004-08-02 19:36 83272 C:\WINDOWS\system32\NavLogon.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

R0 8g0yr9zmam;8g0yr9zma;C:\WINDOWS\system32\DRIVERS\8g0yr9zmam.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1c10aa8-4e6a-11da-8494-0016d3a75b70}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM

.
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby Katana » November 26th, 2007, 3:57 pm

OK, it looks like you are getting reinfected as fast as we clean it.

If you have more than one USB drive then please run the Flash Disinfector for each one


Flash Disinfector by sUBs
Please downloadFlash_Disinfector.exe by sUBs and save it to your desktop:

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

Please restart your computer.
( repeat for each one )


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines ( if still present )
O2 - BHO: (no name) - {3930D164-6564-4099-A33E-2DD4DFBC4669} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Invoke Class - {3AA0903B-1E13-4865-B114-15792D413C41} - C:\WINDOWS\system32\06a1.dll
O2 - BHO: (no name) - {96BEE5B7-892D-4A91-82F8-17C585B67D8C} - (no file)

O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - est2015.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it batfix.bat Please save it on your desktop.

@echo off
del /a /f /s "C:\msn.exe"
del /q batfix.bat

Double click on batfix.bat . You won't see much happen, so don't panic :)

    ComboFix has been updated, so please do the following
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


    • Image

Custom CFScript
Please download >>ComboFix<< by sUBs:
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=25338&p=240773#p240773

Comment:: Katana MRU
Collect::
C:\WINDOWS\system32\6ac91.exe
C:\Documents and Settings\chen\.\desktop.dll

Suspect::
C:\WINDOWS\system32\mstacim.sig
c:\windows\system32\drivers\8g0yr9zmam.sys


DirLook::
C:\WINDOWS\system32\-71-6868-102
C:\WINDOWS\system32\fc5a
C:\WINDOWS\system32\efd
C:\WINDOWS\system32\ec4
C:\WINDOWS\system32\dcc4
C:\WINDOWS\system32\cc45c1
C:\WINDOWS\system32\c5aec
C:\WINDOWS\system32\aec4
C:\WINDOWS\system32\a63
C:\WINDOWS\system32\7fc
C:\WINDOWS\system32\1583
C:\WINDOWS\system32\-55-6868-102

File::
C:\WINDOWS\system32\pubdkdqw.ini
C:\WINDOWS\system32\lnduttoy.ini
C:\WINDOWS\system32\cjrxlexc.ini
C:\WINDOWS\system32\blhmhxbp.ini
C:\WINDOWS\system32\toiknmbu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\vsconfig.xml
C:\WINDOWS\system32\ondampav.ini
C:\WINDOWS\system32\tbwacwuf.ini
C:\WINDOWS\system32\awtuvsp.dll.vir
C:\WINDOWS\system32\06a1.dlltmp
C:\msn.exe
c:\windows\system32\drivers\8g0yr9zmam.sys
C:\WINDOWS\system32\06a1.dll

Folder::
C:\Documents and Settings\chen\.

Driver::
8g0yr9zmam

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{867623F2-B60C-49c4-A50D-FCA697B0CC04}"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1c10aa8-4e6a-11da-8494-0016d3a75b70}]

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please post the ComboFix log along with a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 27th, 2007, 2:01 am

OK,
First, my hunch is that the problem could be with internet explorer. I use firefox, but my chinese assistant uses explorer when she uses my computer, and I cannot seem to communicate (even though I can speak enough chinese to get the point across) that IE is bad, and to only use firefox, which is only marginally better. I will be sure to curb all further usage. Is there a way to delete / uninstall it?
Second:
When I run the flashdisinfector, I have my external HD connected, as per the protocol for running the program successfully. When the program finishes running, explorer.exe always crashes - or disappears. In either case I have to Crtl-Alt-Del to get into the task manager and start it up again. This last time I didn't do that, and just forced a hard shut-down instead.
Third:
My hijackthis log did not show any of the 02-class files slated for deletion:
O2 - BHO: (no name) - {3930D164-6564-4099-A33E-2DD4DFBC4669} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: Invoke Class - {3AA0903B-1E13-4865-B114-15792D413C41} - C:\WINDOWS\system32\06a1.dll
O2 - BHO: (no name) - {96BEE5B7-892D-4A91-82F8-17C585B67D8C} - (no file)

Additionally, the nvidia service:
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - est2015.exe (file missing)
was also not to be found.

For good measure here is a logfile of the report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\HijackThi\chen.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/chen/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 6737 bytes

I eliminated the combofix one, and took it upon myself (I know, reckless, but the "no-name" or "File missing" thing gets to me) to delete the others in bold.

I will re-post momentarily with the results of the batfix / combofix procedure.
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 27th, 2007, 4:30 am

Ok, I ran combofix. When my computer restarted, I received an error regarding Zone Alarm, and then nothing. Blue screen. I waited 20 minutes. Nothing. More blue screen (defalt desktop background color, not the system crash screen). Tried a CTRL-ALT-DEL nothing. Forced a reboot.

My system started up normally, but there is this litle problem I am having. All of my documents have vanished. all of them. The my docmuments folder still exists, and so do the folders that were in there, but they are all empty. I am not going to freak out yet, because I imagine what happened was some kind of system restore issue. I have to get those documents back. I was working on somehting - let's just say it was important - work related, and I need to finish it soon. Please tell me there is hope.

Here is the combofix log:

ComboFix 07-11-19.4 - chen 2007-11-27 14:18:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.1.2052.18.571 [GMT 8:00]
執行位置: C:\Documents and Settings\chen\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\chen\My Documents\CFScript.txt
* 已建立新的還原點

FILE
C:\msn.exe
C:\WINDOWS\system32\06a1.dll
C:\WINDOWS\system32\06a1.dlltmp
C:\WINDOWS\system32\awtuvsp.dll.vir
C:\WINDOWS\system32\blhmhxbp.ini
C:\WINDOWS\system32\cjrxlexc.ini
c:\windows\system32\drivers\8g0yr9zmam.sys
C:\WINDOWS\system32\lnduttoy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ondampav.ini
C:\WINDOWS\system32\pubdkdqw.ini
C:\WINDOWS\system32\tbwacwuf.ini
C:\WINDOWS\system32\toiknmbu.ini
C:\WINDOWS\system32\vsconfig.xml
.
/wow section 未完成

Here is a new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThi\chen.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6517 bytes

Let me know.
Thanks
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby Katana » November 27th, 2007, 6:42 am

billbonic wrote:My system started up normally, but there is this litle problem I am having. All of my documents have vanished. all of them. The my docmuments folder still exists, and so do the folders that were in there, but they are all empty. I am not going to freak out yet, because I imagine what happened was some kind of system restore issue. I have to get those documents back. I was working on somehting - let's just say it was important - work related, and I need to finish it soon. Please tell me there is hope.

I will speak to the developer of Combofix and find out what happened.
ComboFix makes a backup before it runs, so all should be well.

Do you have the full ComboFix log ?
C:\combofix.txt

Also please post the contents of C:\qoobox\ComboFix-quarantined-files.txt
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Another day, another chump with an infection

Unread postby billbonic » November 27th, 2007, 7:07 am

This is all I am geting from the combofix.exe log

ComboFix 07-11-19.4 - chen 2007-11-27 14:18:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.1.2052.18.571 [GMT 8:00]
執行位置: C:\Documents and Settings\chen\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\chen\My Documents\CFScript.txt
* 已建立新的還原點

FILE
C:\msn.exe
C:\WINDOWS\system32\06a1.dll
C:\WINDOWS\system32\06a1.dlltmp
C:\WINDOWS\system32\awtuvsp.dll.vir
C:\WINDOWS\system32\blhmhxbp.ini
C:\WINDOWS\system32\cjrxlexc.ini
c:\windows\system32\drivers\8g0yr9zmam.sys
C:\WINDOWS\system32\lnduttoy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ondampav.ini
C:\WINDOWS\system32\pubdkdqw.ini
C:\WINDOWS\system32\tbwacwuf.ini
C:\WINDOWS\system32\toiknmbu.ini
C:\WINDOWS\system32\vsconfig.xml
.
/wow section 未完成

This file: C:\qoobox\ComboFix-quarantined-files.txt
Does not exist. The quarantine folder is where my documents are hiding. (It is 7.8 Gb) but I am not going to fus with that until I hear from you.
Thanks again.
billbonic
Active Member
 
Posts: 8
Joined: November 15th, 2007, 8:02 am
Top

Re: Another day, another chump with an infection

Unread postby Katana » November 27th, 2007, 7:59 am

If you can see the files in the Qoobox folder, then they can be restored without any problem.
I will find out the best way of restoring them shortly.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 138 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index