Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help! After remove the Virus 2009 lab

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 17th, 2008, 10:22 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:20 AM, on 10/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0722906597
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8434 bytes

Don't know why This Hijackthis when i click scan 2nd times, it display so many Protocol in the HJT log.Please help me solve my problem. Thanks
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang
Advertisement
Register to Remove

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 19th, 2008, 9:11 pm

Hi yeakyau :) how have you been?


Do you not have antivirus installed on this machine? If not please install one of these:

Antivir: http://www.free-av.com/
Avast!: http://www.avast.com/eng/download-avast-home.html
Please ensure you have one active and up-to-date  antivirus program installed before continuing

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
Code: Select all
@echo off
regedit /a "%userprofile%\desktop\t1.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler"
regedit /a "%userprofile%\desktop\t2.txt" "HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Handler"
echo HKLM >> protocol.txt
type t1.txt >> protocol.txt
echo HKCU >> protocol.txt
type t2.txt >> protocol.txt
del t1.txt
del t2.txt
del %0

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called protocol.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Download RSIT by random/random to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

  • Double click RSIT.exe to start the program, and click Continue at the disclaimer screen.
  • When the scan is complete, two text files will open - log.txt <- this one will be maximized and info.txt <-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt and info.txt in your reply

------------------------------------------------------------------------

Once complete, please post both RSIT logs and attach the protocol.txt output. You won't need to produce a new HijackThis log as RSIT produces one for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 22nd, 2008, 11:25 pm

Do you still need help?
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 23rd, 2008, 5:01 am

Hi,
Sorry, My college, hostel internet is down, Today i just, bring my computer back to home town, i will send you the lates report , sorry for any delay.
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 23rd, 2008, 8:00 am

OK, thanks for letting me know.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 23rd, 2008, 8:43 am

HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdl]
@="CDL: Asychronous Pluggable Protocol Handler"
"CLSID"="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo]
@="cdo: Asychronous KnowledgePluggable Protocol Handler"
"CLSID"="{CD00020A-8B95-11D1-82DB-00C04FB1625D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\dvd]
@="DVD: Pluggable Protocol"
"CLSID"="{12D51199-0DB5-46FE-A120-47A3D7D937CC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\gopher]
@="gopher: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb]
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
@="Microsoft OLE DB Provider for Internet Publishing"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\https]
@="https: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\https\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\https\oledb]
@="Microsoft OLE DB Provider for Internet Publishing"
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\javascript]
"CLSID"="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall]
"CLSID"="{828030A1-22C1-4009-854F-8E305202313F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\local]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mailto]
"CLSID"="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mhtml]
@="MHTML Asychronous Pluggable Protocol Handler"
"CLSID"="{05300401-BCBC-11d0-85E3-00C04FD85AB4}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help]
@="Help HxProtocol"
"CLSID"="{314111c7-a502-11d2-bbca-00c04f8ec294}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its]
@="ms-its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss]
@="ms-itss: Asynchronous Pluggable Storage Protocol Handler"
"CLSID"="{0A9007C0-4076-11D3-8789-0000F8105754}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\oledb]
@="Microsoft OLE DB Provider for Internet Publishing"
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim]
"CLSID"="{828030A1-22C1-4009-854F-8E305202313F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mso-offdap]
@="Data Page Pluggable Protocol"
"CLSID"="{3D9F03FA-7A94-11D3-BE81-0050048385D1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mso-offdap11]
@="Data Page Pluggable Protocol"
"CLSID"="{32505114-5902-49B2-880A-1F7738E5A384}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]
"CLSID"="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com]
"CLSID"="{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}"
@="Skype4COM Pluggable Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sysimage]
"CLSID"="{76E67A63-06E9-11D2-A840-006008059382}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]
@="TV: Pluggable Protocol"
"CLSID"="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\vbscript]
"CLSID"="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"

HKCU
---------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of random's system information tool 1.04 (written by random/random)
Run by SONIC at 2008-10-23 08:38:16
Microsoft Windows XP Professional Service Pack 2
System drive C: has 442 MB (3%) free of 15 GB
Total RAM: 247 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:24 AM, on 10/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\SONIC\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\SONIC.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0722906597
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 7030 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2007-09-05 816400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-02-01 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
BitComet Helper - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll [2008-01-02 496952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-10-17 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-10-17 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-10-17 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]
"S3apphk"=C:\WINDOWS\system32\S3apphk.exe [2002-03-14 28672]
"D-Link AirPlus XtremeG"=C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe [2006-07-07 1323008]
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [2006-06-01 49152]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-10-17 136600]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-06-10 1447168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-02-01 21898024]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-04-01 486856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-03-30 200064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d51f60-89b7-11dd-bd94-001b111af1c9}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f831d2-05e7-11dd-bbd9-001b111af1c9}]
shell\AutoRun\command - G:\DataTraveler101R.exe


======List of files/folders created in the last 1 months======

2008-10-19 21:47:11 ----D---- C:\rsit
2008-10-19 12:01:40 ----A---- C:\cfsvsc.exe
2008-10-19 12:01:36 ----A---- C:\winupdate.202622.exe
2008-10-19 12:01:32 ----A---- C:\client_dll.1652.0.exe
2008-10-19 11:48:31 ----D---- C:\Program Files\ESET
2008-10-19 11:48:31 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2008-10-17 15:25:33 ----D---- C:\WINDOWS\Sun
2008-10-17 12:25:20 ----D---- C:\Program Files\Sun
2008-10-17 12:24:12 ----A---- C:\WINDOWS\system32\javaws.exe
2008-10-17 12:24:12 ----A---- C:\WINDOWS\system32\javaw.exe
2008-10-17 12:24:12 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-10-17 12:24:11 ----A---- C:\WINDOWS\system32\java.exe
2008-10-17 12:15:47 ----D---- C:\Program Files\Java
2008-10-17 10:30:40 ----D---- C:\Documents and Settings\SONIC\Application Data\Malwarebytes
2008-10-17 10:30:15 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-17 10:30:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-17 09:48:44 ----D---- C:\Documents and Settings\SONIC\Application Data\Sun
2008-10-17 09:07:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-17 04:07:06 ----SHD---- C:\RECYCLER
2008-10-17 02:10:19 ----A---- C:\ComboFix.txt
2008-10-17 01:57:11 ----D---- C:\WINDOWS\temp
2008-10-17 01:52:06 ----D---- C:\ComboFix
2008-10-17 01:52:02 ----A---- C:\WINDOWS\system32\CF16162.exe
2008-10-17 01:34:36 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-17 01:30:35 ----D---- C:\Program Files\Applications
2008-10-16 00:55:37 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-10-15 09:36:08 ----D---- C:\Documents and Settings\All Users\Application Data\WinZipSE

======List of files/folders modified in the last 1 months======

2008-10-23 08:28:38 ----D---- C:\Documents and Settings\SONIC\Application Data\Skype
2008-10-22 20:15:05 ----D---- C:\Documents and Settings\SONIC\Application Data\skypePM
2008-10-20 05:43:33 ----D---- C:\WINDOWS
2008-10-19 13:32:16 ----D---- C:\Program Files\Mozilla Firefox
2008-10-19 11:52:11 ----SHD---- C:\WINDOWS\Installer
2008-10-19 11:51:43 ----D---- C:\Config.Msi
2008-10-19 11:51:28 ----HD---- C:\WINDOWS\inf
2008-10-19 11:51:28 ----D---- C:\WINDOWS\system32\drivers
2008-10-19 11:51:10 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-19 11:48:31 ----RD---- C:\Program Files
2008-10-17 12:43:41 ----D---- C:\WINDOWS\system32
2008-10-17 12:43:01 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-17 12:23:35 ----D---- C:\WINDOWS\Prefetch
2008-10-17 09:30:58 ----D---- C:\WINDOWS\BDOSCAN8
2008-10-17 05:31:02 ----D---- C:\WINDOWS\Minidump
2008-10-17 02:09:49 ----D---- C:\QooBox
2008-10-17 02:01:12 ----A---- C:\WINDOWS\system.ini
2008-10-17 01:58:36 ----D---- C:\WINDOWS\system32\config
2008-10-17 01:57:33 ----D---- C:\WINDOWS\erdnt
2008-10-17 01:55:34 ----D---- C:\Program Files\Common Files
2008-10-17 01:55:33 ----D---- C:\WINDOWS\AppPatch
2008-10-17 00:48:35 ----D---- C:\Documents and Settings\SONIC\Application Data\mIRC
2008-10-09 18:31:20 ----D---- C:\WINDOWS\system32\Macromed
2008-10-09 15:12:49 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-08 19:26:28 ----D---- C:\Downloads
2008-10-08 12:21:42 ----D---- C:\WINDOWS\Debug
2008-10-05 23:57:40 ----D---- C:\Program Files\Messenger Plus! Live
2008-10-05 23:57:39 ----D---- C:\Program Files\MSN Messenger
2008-09-24 16:59:20 ----AC---- C:\WINDOWS\vbaddin.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-06-10 53256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2001-08-23 12160]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228]
R1 VIAPFD;VIAPFD; C:\WINDOWS\System32\Drivers\VIAPFD.SYS [2001-12-17 3279]
R2 ANIO;ANIO Service; \??\C:\WINDOWS\system32\ANIO.SYS []
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2003-07-29 40448]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-06-10 39944]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-07-17 278908]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\system32\DRIVERS\R8139n51.SYS [2002-07-17 45568]
R3 trid3d;trid3d; C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-19 144860]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 Hmnt;Hmnt; C:\WINDOWS\system32\drivers\Hmnt.sys [2001-09-20 11182]
S3 A5AGU;D-Link USB Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2006-05-08 347648]
S3 ag0vw9sz;ag0vw9sz; C:\WINDOWS\system32\drivers\ag0vw9sz.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 VIAudio;VIA AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\ac97via.sys [2004-08-03 84480]
S3 xAntiArp;xAntiArpSpoof Service; C:\WINDOWS\system32\DRIVERS\xAntiArp.sys []
S4 I804tirsupce;I804tirsupce; C:\WINDOWS\system32\drivers\usbcamd2.sys [2001-08-23 23936]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-17 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 ANIWZCSdService;ANIWZCSd Service; C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [2005-10-19 49152]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-06-10 19200]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2008-01-27 68096]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]

-----------------EOF-----------------
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 24th, 2008, 12:20 am

Hi,

Please also post the info.txt from RSIT, you should find this here:
C:\rsit\info.txt


Did you edit anything in the log you posted?

It looks like you have done a some online scans, did they show any malware?

Did you install an antivirus program?

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
Code: Select all
@echo off
dir "C:\Program Files\Applications" /a /s >> results.txt 2>>&1
dir "C:\WINDOWS\system32\drivers\ag0vw9sz.sys" /a /s >> results.txt 2>>&1
dir "C:\WINDOWS\system32\DRIVERS\xAntiArp.sys" /a /s >> results.txt 2>>&1
del %0

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Please open this page in your browser:
http://www.bleepingcomputer.com/submit- ... channel=32

Fill in the link to topic field with a link to this topic
Copy/paste the following into the Browse to the file you want to submit field:
C:\cfsvsc.exe
Then press Send File, this will upload the file for analysis

Please repeat for these files:
C:\winupdate.202622.exe
C:\client_dll.1652.0.exe


------------------------------------------------------------------------

Once complete, please post the info.txt, results.txt and a new HijackThis log.
Please also post the last ComboFix log from here:
C:\ComboFix.txt
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 24th, 2008, 1:47 am

why suspected I am edit the log?
I'm not able to run online scan successfully , due to our hostel internet blocking me from update the online virus scan engine.

Yes,Eset Nod 32 And installed Malware bytes , do detect a few by malware bytes, but Eset nod 32 none.

Volume in drive C has no label.
Volume Serial Number is 9C05-6B83

Directory of C:\Program Files\Applications

10/17/2008 02:00 AM <DIR> .
10/17/2008 02:00 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 546,848,768 bytes free
Volume in drive C has no label.
Volume Serial Number is 9C05-6B83
File Not Found
Volume in drive C has no label.
Volume Serial Number is 9C05-6B83
File Not Found

Yes. Has been posted for analysis, so who will reply me the results which has been sent for analysis.
_________________________________________________________________________________________________________
info.txt logfile of random's system information tool 1.04 2008-10-19 21:50:32

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AirPlus XtremeG-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{79B92240-9C65-4DD7-B1AD-59910D2C1353} /l1033
ANIO Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Avance AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
BitComet 0.98-->C:\Program Files\BitComet\uninst.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
ESET NOD32 Antivirus-->MsiExec.exe /I{2204AF25-80E5-468E-B46D-795685B35DEB}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java(TM) 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java(TM) SE Development Kit 6 Update 10-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160100}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Project Professional 2003-->MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio MUI (English) 2007-->MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL
Microsoft Office Visio Professional 2007-->MsiExec.exe /X{90120000-0051-0000-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual Studio 6.0 Enterprise Edition-->"C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Mozilla Firefox (2.0.0.17)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library - Visual Studio 6.0a-->"C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\Setup.exe"
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Norton PartitionMagic 8.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
QuickTime-->MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Recuva (remove only)-->"C:\Program Files\Recuva\uninst.exe"
RTLSetup for Realtek RTL8139/810x Family NIC 3.00-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\setup.exe" -l0x9 REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Visio 2007 (KB947590)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {199018BD-578E-44BD-A28F-7F944931CABD}
Security Update for the 2007 Microsoft Office System (KB936960)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Skype? 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VIA Tech KLE/PLE Display Driver and Utilities-->C:\PROGRA~1\S3\VIAKPLE\s3setvga.exe -s -fC:\PROGRA~1\S3\VIAKPLE\VIAKPLE.uns
VIAhm-->C:\WINDOWS\IsUninst.exe -fc:\VIAhm\Uninst.isu
VideoLAN VLC media player 0.8.6d-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

=====HijackThis Backups=====

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O2 - BHO: VirRLWarningBHO Class - {A81EBFD7-0FA3-41ec-B60D-6DAE78B4D31A} - C:\Program Files\VirRL2009\VirRLWarning.dll (file missing)
O2 - BHO: 675873 helper - {030A0F33-5B99-482E-83F5-2EEB8457878B} - C:\WINDOWS\system32\675873\675873.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BE1A344F-9FF5-4024-949B-52205E6DB2D0} - C:\Program Files\Applications\iebt.dll (file missing)
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\algg.exe
O4 - HKCU\..\Run: [VirRL2009] "C:\Program Files\VirRL2009\VirRL2009.exe"
O22 - SharedTaskScheduler: amenity - {fef6ace8-bb45-4009-8342-63415164d691} - C:\WINDOWS\system32\bmztmss.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.howtoiexplorer.com/redirect.php (file missing)
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.howtoiexplorer.com/redirect.php (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

======Security center information======

AV: ESET NOD32 Antivirus 3.0

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 7 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0701
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------



_________________________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:03 AM, on 10/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0722906597
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 9806 bytes


_________________________________________________________________________________________________________
ComboFix 08-10-23.05 - SONIC 2008-10-24 2:16:01.22 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.115 [GMT -8:00]
执行位置: C:\Documents and Settings\SONIC\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( 2008-09-24 至 2008-10-24 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-24 01:36 . 2008-10-24 01:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-19 21:47 . 2008-10-19 21:50 <DIR> d-------- C:\rsit
2008-10-19 12:01 . 2008-10-19 12:01 0 --a------ C:\winupdate.202622.exe
2008-10-19 12:01 . 2008-10-19 12:01 0 --a------ C:\client_dll.1652.0.exe
2008-10-19 12:01 . 2008-10-19 12:01 0 --a------ C:\cfsvsc.exe
2008-10-19 11:48 . 2008-10-19 11:57 <DIR> d-------- C:\Program Files\ESET
2008-10-19 11:48 . 2008-10-19 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-10-17 15:25 . 2008-10-17 15:25 <DIR> d-------- C:\WINDOWS\Sun
2008-10-17 12:25 . 2008-10-17 12:25 <DIR> d-------- C:\Program Files\Sun
2008-10-17 12:24 . 2008-10-17 12:22 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-17 12:24 . 2008-10-17 12:22 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-17 12:15 . 2008-10-17 12:22 <DIR> d-------- C:\Program Files\Java
2008-10-17 10:30 . 2008-10-23 10:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-17 10:30 . 2008-10-17 10:30 <DIR> d-------- C:\Documents and Settings\SONIC\Application Data\Malwarebytes
2008-10-17 10:30 . 2008-10-17 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-17 01:34 . 2008-10-17 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-17 01:30 . 2008-10-17 02:00 <DIR> d-------- C:\Program Files\Applications
2008-10-15 09:36 . 2008-10-15 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2008-10-10 18:31 . 2008-10-10 18:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-10 18:31 . 2008-10-10 18:31 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 10:25 --------- d-----w C:\Documents and Settings\SONIC\Application Data\Skype
2008-10-24 09:35 --------- d-----w C:\Documents and Settings\SONIC\Application Data\skypePM
2008-10-19 20:05 29,832 -c--a-w C:\Documents and Settings\SONIC\Application Data\GDIPFONTCACHEV1.DAT
2008-10-17 20:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-17 08:48 --------- d-----w C:\Documents and Settings\SONIC\Application Data\mIRC
2008-10-06 07:57 --------- d-----w C:\Program Files\MSN Messenger
2008-10-06 07:57 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-31 21:06 35,208 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-19 08:27 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-07-30 09:42 360320 10c5882d509c60673bf1bf74ef35baaf C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-30 09:42 360320 10c5882d509c60673bf1bf74ef35baaf C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot_2008-10-14_13.04.48.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-29 16:34:07 181,760 -c--a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-10-15 16:56:14 102,400 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-10-19 19:51:41 10,134 ----a-r C:\WINDOWS\Installer\{2204AF25-80E5-468E-B46D-795685B35DEB}\callmsi.exe
+ 2008-10-19 19:51:41 136,448 ----a-r C:\WINDOWS\Installer\{2204AF25-80E5-468E-B46D-795685B35DEB}\egui.exe
+ 2008-06-11 02:47:42 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
+ 2008-06-11 02:48:38 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
+ 2008-06-11 02:56:10 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
- 2008-07-22 22:56:13 1,492,152 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-17 20:48:32 1,475,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-17 20:22:43 144,792 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-10-17 20:22:43 144,792 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-10-17 20:22:44 148,888 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-10-05 03:16:26 235,936 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe
- 2008-10-09 23:14:15 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-10-16 17:35:36 88,590 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-10-24 10:22:36 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_8c.dat
+ 2008-10-24 10:24:18 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_bac.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"nodenable"="C:\Program Files\eset\nodenable.exe" [2008-09-01 326803]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2006-07-07 1323008]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-01 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-17 136600]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"S3apphk"="S3apphk.exe" [2002-03-14 C:\WINDOWS\system32\S3apphk.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-30 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8197:TCP"= 8197:TCP:BitComet 8197 TCP
"8197:UDP"= 8197:UDP:BitComet 8197 UDP

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-17 152984]
R3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2002-03-19 144860]
S0 fyhsvzsl;fyhsvzsl;C:\WINDOWS\system32\drivers\qowlfv.sys [ ]
S0 ppwfk;ppwfk;C:\WINDOWS\system32\drivers\wzsn.sys [ ]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2006-05-08 347648]
S3 xAntiArp;xAntiArpSpoof Service;C:\WINDOWS\system32\DRIVERS\xAntiArp.sys [ ]
S4 I804tirsupce;I804tirsupce;C:\WINDOWS\system32\drivers\usbcamd2.sys [2001-08-23 23936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d51f60-89b7-11dd-bd94-001b111af1c9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7f831d2-05e7-11dd-bbd9-001b111af1c9}]
\Shell\AutoRun\command - G:\DataTraveler101R.exe
.
‘计划任务’ 文件夹 里的内容

2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NodLogin - C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe


.
------- 而外的扫描 -------
.
FireFox -: Profile - C:\Documents and Settings\SONIC\Application Data\Mozilla\Firefox\Profiles\csct5f56.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 02:22:57
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
------------------------ 其他运行进程 ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
完成时间: 2008-10-24 2:30:18 - 电脑已重新启动 [SONIC]
ComboFix-quarantined-files.txt 2008-10-24 10:30:07
ComboFix2.txt 2008-10-17 10:10:19
ComboFix3.txt 2008-10-14 22:00:31
ComboFix4.txt 2008-08-16 04:07:25
ComboFix5.txt 2008-10-24 09:58:17

Pre-Run: 490,160,128 bytes free
Post-Run: 545,378,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

173 --- E O F --- 2008-09-04 07:21:03
__________________________________________________________________________________________________________
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 24th, 2008, 3:40 am

Hi,

why suspected I am edit the log?
I'm not 'suspecting', just asking.

Have you patched the tcpip.sys file on this machine for P2P purposes?

And installed Malware bytes , do detect a few by malware bytes
Please post the MBAM log. Open MBAM, select the Logs tab, highlight the most recent log and press Open. Please copy/paste this into your next response.

Yes. Has been posted for analysis, so who will reply me the results which has been sent for analysis.
I will give you the results, but for some reason the uploads weren't successful. We'll try again in this post.

------------------------------------------------------------------------

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

"nodenable" appears to be some sort of NOD32 crack. Please uninstall NOD32 and the crack from your machine and install one of the free antivirus programs I linked to earlier.

BitComet needs to be removed as site policy is to require users to remove all P2P programs as part of cleaning.

You have a program called Messenger Plus! Live installed. When installing it offers a choice either to Install the sponsor program or I refuse to give my support, don't install the sponsor. The sponsor program is malware so if you installed it or are unsure we must remove it. Even if you didn't install the sponsor program I recommend you remove this program anyway as the developer is spreading malware for profit - read more information about this here.
You can remove Messenger Plus! Live via Add/Remove Programs

------------------------------------------------------------------------

Please download Suspicious File Packer to your Desktop.
  • Right-click sfp.zip, choose Extract All... and extract sfp.exe to your Desktop
  • Double-click sfp.exe to start the program
  • Copy and Paste the following file list into the text box of the program:
    C:\cfsvsc.exe
    C:\winupdate.202622.exe
    C:\client_dll.1652.0.exe
    C:\WINDOWS\system32\drivers\TCPIP.SYS
  • Now press the Continue button
  • A file called requested-files[YYYY-MM-DD_MM_ss].cab will appear on your Desktop.
  • Now open this page in your browser
  • Press Browse and browse to the requested-files[YYYY-MM-DD_MM_ss].cab file on your Desktop, fill in the other fields as appropriate then press Send File

------------------------------------------------------------------------

Download Dr.Web CureIt to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click launch.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and make these changes:
    • Next to Infected objects select Report
    • Next to Incurable objects select Report
    • Next to Infected containers select Report
  • At the bottom-left, UN-CHECK Prompt on action, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Then select Complete scan and press the green arrow to start the scan
  • When the scan is complete, click File-> Save report list, save the report to your desktop and close Dr Web CureIt

------------------------------------------------------------------------

Once complete, please post the MBAM report, the CureIt log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 26th, 2008, 12:11 am

Malwarebytes' Anti-Malware 1.30
Database version: 1321
Windows 5.1.2600 Service Pack 2

10/26/2008 12:02:42 AM
mbam-log-2008-10-26 (00-02-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 112678
Time elapsed: 1 hour(s), 15 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\SONIC\My Documents\Crack\Keygen.exe (Trojan.Horst) -> Quarantined and deleted successfully.
C:\Documents and Settings\SONIC\My Documents\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\Crack\Keygen.exe (Trojan.Horst) -> Quarantined and deleted successfully.
C:\winupdate.202622.exe (Trojan.Agent) -> Quarantined and deleted successfully.
_________________________________________________________________________________________________________
When I know what is the problem? I open Hijackthis click Do a system scan and save as log file , the log doesn't show extra protocol, for the second time i click on "scan" button, the second log display extra protocol 018 line =(.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:21 AM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0722906597
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 8934 bytes
_________________________________________________________________________________________________________
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 26th, 2008, 12:52 am

Hi,

It looks like there is no AV again, please download and install a free antivirus program:
Antivir: http://www.free-av.com/
Avast!: http://www.avast.com/eng/download-avast-home.html

Please ensure you have one antivirus program installed before continuing

------------------------------------------------------------------------

Have you patched the tcpip.sys file on this machine for P2P purposes?

Please answer this for me.

------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:
O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
Restrictions have been placed on Internet Explorer control panel options, possibly by protection software. If you did not set these yourself, or you wish to remove them, then please check this line also:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Please download OTMoveIt3 by OldTimer to your Desktop (right-click the link, select Save Target As…, select your Desktop and press Save)
  • Double-click OTMoveIt3.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    Code: Select all
    :Files
    C:\Documents and Settings\SONIC\My Documents\Crack
    C:\Documents and Settings\SONIC\My Documents\EvID4226Patch223d-en
    C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended
    C:\Program Files\eset
    C:\client_dll.1652.0.exe
    C:\cfsvsc.exe
    C:\Program Files\Messenger Plus! Live
    C:\QooBox
    C:\ComboFix
    C:\WINDOWS\system32\CF16162.exe
    C:\Program Files\Applications
    :Services
    ag0vw9sz
    catchme
    xAntiArp
    fyhsvzsl
    ppwfk
  • Return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTMoveIt3
------------------------------------------------------------------------

It doesn't appear that you have run a Dr Web scan, please do so as follows:

Download Dr.Web CureIt to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click launch.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and make these changes:
    • Next to Infected objects select Report
    • Next to Incurable objects select Report
    • Next to Infected containers select Report
  • At the bottom-left, UN-CHECK Prompt on action, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Then select Complete scan and press the green arrow to start the scan
  • When the scan is complete, click File-> Save report list, save the report to your desktop and close Dr Web CureIt

------------------------------------------------------------------------

Once complete, please post the OTMoveIt3 report, the Dr Web CureIt log, and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 26th, 2008, 1:22 am

Yes, is totaly no AV,the previous av has been uninstalled, due to my hard disk don't have enough space.
I Had run Dr web cure it 12 hours, i scanned half ways for the 1st time, due to lag of ram, than it hangs, so far doesn't found any virus while using drweb scanned, seems i can't copy and paste the log file , due to it's too long the line.

I path tcp/ip for increase the webpages dispaly speed, due to our internet is slow in the hostel, i'm not patching tcp/ip for p2p purpose.
========== FILES ==========
File/Folder C:\Documents and Settings\SONIC\My Documents\Crack moved successfully.
C:\Documents and Settings\SONIC\My Documents\EvID4226Patch223d-en moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources\media\img moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources\media\css moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources\media moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources\common\scripts moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources\common\alert moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources\common moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\resources moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\redist moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\BridgeStartMeeting moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeXMPPanelsAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeWinSoftLinguisticsPluginAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeVersionCueClient3All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeTypeSupportAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeStockPhotos1.5All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobePhotoshop10en_US moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobePDFSettingsNAEU moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobePDFL8All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeLinguisticsAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeHelpViewerAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeFontsAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeExtendScriptToolKitAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeDeviceCentralAll\oem\Adobe Device Central CS3 moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeDeviceCentralAll\oem moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeDeviceCentralAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeDefaultLanguageCS3All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeColorPhotoshopAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeColorNA_RecommendedAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeColorJA_ExtraSettingsAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeColorEU_ExtraSettingsAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeColorCommonSetAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeCMapsAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeCameraRaw4.0All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeBridge2All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeAUM5.1All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeAssetServices3All moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads\AdobeALMAnchorServiceAll moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\payloads moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended\Crack moved successfully.
C:\Documents and Settings\SONIC\Desktop\hanhui gave\Adobe Photoshop CS3 Extended moved successfully.
C:\Program Files\ESET moved successfully.
C:\client_dll.1652.0.exe moved successfully.
C:\cfsvsc.exe moved successfully.
File/Folder C:\Program Files\Messenger Plus! Live not found.
C:\QooBox\Quarantine\Registry_backups moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\675873 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS moved successfully.
C:\QooBox\Quarantine\C\Program Files\VirRL2009 moved successfully.
C:\QooBox\Quarantine\C\Program Files\Applications moved successfully.
C:\QooBox\Quarantine\C\Program Files moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Start Menu\Programs\VirusResponse Lab 2009 2.1 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Start Menu\Programs moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Start Menu moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\My Documents\My Videos moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\My Documents\My Pictures moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\My Documents\My Music moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\My Documents moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Local Settings\Application Data\Microsoft\Windows Media\10.0 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Local Settings\Application Data\Microsoft\Windows Media moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Local Settings\Application Data\Microsoft moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Local Settings\Application Data moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Local Settings moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC\Desktop moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\SONIC moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings moved successfully.
C:\QooBox\Quarantine\C moved successfully.
C:\QooBox\Quarantine moved successfully.
C:\QooBox\BackEnv moved successfully.
C:\QooBox moved successfully.
File/Folder C:\ComboFix not found.
File/Folder C:\WINDOWS\system32\CF16162.exe not found.
C:\Program Files\Applications moved successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service ag0vw9sz .
Unable to stop service catchme .
Service xAntiArp stopped successfully.
Service xAntiArp deleted successfully.
Service fyhsvzsl stopped successfully.
Service fyhsvzsl deleted successfully.
Service ppwfk stopped successfully.
Service ppwfk deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10262008_014723
_________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:45 AM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0722906597
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 6424 bytes
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 26th, 2008, 3:22 am

Hi,

With regard to tcpip.sys, I recommend you use the original Microsoft file as patched versions may have unknown security vulnerabilities. This file is normally patched to increase the maximum connection limit, but this doesn't normally come into play with web browsing so you aren't likely to notice a difference.

Is there anything you can delete or archive from your hard drive? It looks like a bit of extra room would be very useful. RAM is also an issue on this machine.

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
Code: Select all
@echo off
sc stop ag0vw9sz >> results.txt 2>>&1
sc delete ag0vw9sz >> results.txt 2>>&1
del %0

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Please give Dr Web another try to complete a scan on your machine, but this time try running it in Safe Mode. Please print/save a copy of the following instructions because we will be using Safe Mode, during which time you won't have access to the internet:

Reboot your computer in Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8
A menu should appear, use the arrow keys to select Safe Mode and press enter

  • Double-click launch.exe to start Dr Web CureIt.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and make these changes:
    • Next to Infected objects select Report
    • Next to Incurable objects select Report
    • Next to Infected containers select Report
  • At the bottom-left, UN-CHECK Prompt on action, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Then select Complete scan and press the green arrow to start the scan
  • When the scan is complete, click File-> Save report list, save the report to your desktop and close Dr Web CureIt

If the report is too long, please attach it to your post, or upload it using this page:
http://www.bleepingcomputer.com/submit- ... channel=32

Fill in the link to topic field with a link to this topic
Press the Browse button, browse to and select the Dr Web CureIt log file, then press Send File, this will upload the file for me.

------------------------------------------------------------------------

Download Gmer to your Desktop from here:
http://www.gmer.net/gmer.zip
  • Unzip the program onto your Desktop (right-click, select Extract All... and follow the prompts)
  • Disconnect from the internet and close all running programs
  • Double click gmer.exe, let the gmer.sys driver load if asked
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say OK
  • If there is no warning, then check that the Rootkit tab is selected and click the Scan button - don't change any settings before you do so
  • Please do not use your computer during the scan
  • Once the scan is complete, click the Copy button
  • Open Notepad (Click Start->Run, type notepad and Enter) and hit Ctrl+V to paste the log and then save the log to your desktop

------------------------------------------------------------------------

Once complete, please post the results.txt output, the Dr Web CureIt report, the Gmer report and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Help! After remove the Virus 2009 lab

Unread postby yeakyau » October 27th, 2008, 3:42 am

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-27 03:39:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spph.sys ZwCreateKey [0xBAEE00E0]
SSDT F8B758B4 ZwCreateThread
SSDT spph.sys ZwEnumerateKey [0xBAEFECA2]
SSDT spph.sys ZwEnumerateValueKey [0xBAEFF030]
SSDT spph.sys ZwOpenKey [0xBAEE00C0]
SSDT F8B758A0 ZwOpenProcess
SSDT F8B758A5 ZwOpenThread
SSDT spph.sys ZwQueryKey [0xBAEFF108]
SSDT spph.sys ZwQueryValueKey [0xBAEFEF88]
SSDT spph.sys ZwSetValueKey [0xBAEFF19A]
SSDT F8B758AF ZwTerminateProcess
SSDT F8B758AA ZwWriteVirtualMemory

INT 0x35 ? 820ECBF8
INT 0x35 ? 820ECBF8
INT 0x39 ? 82292BF8
INT 0x3E ? 82249BF8
INT 0x3F ? 82249BF8

Code \WINDOWS\system32\ntoskrnl.exe[PAGEVRFY] [80669F25] pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!MmAddVerifierThunks + 8C4 80622A98 3 Bytes [ 96, 39, 4E ]
PAGE ntoskrnl.exe!MmAddVerifierThunks + 8CC 80622AA0 3 Bytes [ C7, B2, 4D ]
PAGE ntoskrnl.exe!MmAddVerifierThunks + 8D4 80622AA8 3 Bytes [ E7, B2, 4D ]
PAGE ntoskrnl.exe!MmAddVerifierThunks + 8DC 80622AB0 3 Bytes [ D4, 35, 4E ]
PAGE ntoskrnl.exe!MmAddVerifierThunks + 8E4 80622AB8 1 Byte [ 50 ]
PAGE ...
? spph.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BAC5F62C 5 Bytes JMP 820EC1D8
.text ag1f5b34.SYS F7E74384 1 Byte [ 20 ]
.text ag1f5b34.SYS F7E74386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text ag1f5b34.SYS F7E743AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text ag1f5b34.SYS F7E743C4 3 Bytes [ 00, 00, 00 ]
.text ag1f5b34.SYS F7E743C9 1 Byte [ 00 ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[1888] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2232] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 822922D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [BAF11C4C] spph.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [BAF11CA0] spph.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BAEE1040] spph.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BAEE113C] spph.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BAEE10BE] spph.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BAEE17FC] spph.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BAEE16D2] spph.sys
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] [8066C60D] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IofCallDriver] [80669F25] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] [8066A090] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] [8066C4A5] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!MmUnmapLockedPages] [8066AADC] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!MmMapIoSpace] [8066C39E] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!MmUnmapIoSpace] [8066AB31] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoGetDmaAdapter] [8066F182] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!MmProbeAndLockPages] [8066C227] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!MmUnlockPages] [8066AA7F] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KeSetEvent] [8066AF4B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KeInitializeMutex] [8066B4BA] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!ExFreePoolWithTag] [8066AF1B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IofCompleteRequest] [8066A62F] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KeInitializeSpinLock] [8066B55B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] [8066B0EB] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] [8066B13E] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KeSynchronizeExecution] [8066C1CD] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoInitializeTimer] [8066A10B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KeWaitForSingleObject] [8066B400] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!KeReleaseMutex] [8066B491] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] [8066B587] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[HAL.dll!KeQueryPerformanceCounter] [8066D32B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[HAL.dll!KfReleaseSpinLock] [8066BFEB] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[HAL.dll!KfAcquireSpinLock] [8066BF73] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[HAL.dll!KfRaiseIrql] [8066C06F] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[HAL.dll!KfLowerIrql] [8066C10F] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 820EC2D8
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlInitUnicodeString] 9252D2DB
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!swprintf] [804FC5C0] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeSetEvent] 8E44C8C9
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoCreateSymbolicLink] A475EBF6
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoGetConfigurationInformation] AA7EE6FF
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] B863F1E4
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmFreeMappingAddress] B668FCED
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 0CB1670A
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 02BA6A03
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmUnmapIoSpace] 10A77D18
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 1EAC7011
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IofCompleteRequest] 349D532E
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 3A965E27
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IofCallDriver] 288B493C
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 26804435
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 7CE90F42
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoConnectInterrupt] 72E2024B
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoDetachDevice] 60FF1550
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeWaitForSingleObject] 6EF41859
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeInitializeEvent] 44C53B66
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 4ACE366F
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlInitAnsiString] 58D32174
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 56D82C7D
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoQueueWorkItem] 377A0CA1
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmMapIoSpace] 397101A8
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2B6C16B3
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoReportDetectedDevice] 25671BBA
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0F563885
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 015D358C
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!NlsMbCodePageTag] 13402297
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!PoRequestPowerIrp] 1D4B2F9E
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 472264E9
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 492969E0
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!sprintf] 5B347EFB
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 553F73F2
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ObfDereferenceObject] 7F0E50CD
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 71055DC4
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 63184ADF
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ZwClose] 6D1347D6
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] D7CADC31
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] D9C1D138
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CBDCC623
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C5D7CB2A
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!PoCallDriver] EFE6E815
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoCreateDevice] E1EDE51C
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] F3F0F207
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlQueryRegistryValues] FDFBFF0E
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ZwOpenKey] A792B479
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlFreeUnicodeString] A999B970
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoStartTimer] BB84AE6B
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeInitializeTimer] B58FA362
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoInitializeTimer] 9FBE805D
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeInitializeDpc] 91B58D54
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeInitializeSpinLock] 83A89A4F
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoInitializeIrp] 8DA39746
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ZwCreateKey] 00000063
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 0000007C
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000077
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ZwSetValueKey] 0000007B
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000F2
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 0000006B
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoStartPacket] 0000006F
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000C5
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 00000030
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoFreeMdl] 00000001
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmUnlockPages] 00000067
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 0000002B
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000FE
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 000000D7
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000AB
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000076
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoStartNextPacket] 000000CA
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeBugCheckEx] 00000082
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 000000C9
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeSetTimer] 0000007D
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeCancelTimer] 000000FA
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!_allmul] 00000059
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000047
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!_except_handler3] 000000F0
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!PoSetPowerState] 000000AD
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000D4
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000A2
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!_aulldiv] 000000AF
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!strstr] 0000009C
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!_strupr] 000000A4
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeQuerySystemTime] 00000072
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000C0
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!KeTickCount] 000000B7
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 000000FD
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoDeleteDevice] 00000093
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 00000026
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000036
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoAllocateIrp] 0000003F
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoAllocateMdl] 000000F7
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000CC
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00000034
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000A5
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000E5
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F1
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoFreeIrp] 00000071
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000D8
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!InitSafeBootMode] 00000031
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlCompareMemory] 00000015
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 00000004
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!memmove] 000000C7
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000023
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\ag1f5b34.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BAEF1048] spph.sys

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 822481F8
Device \Driver\usbuhci \Device\USBPDO-0 820EA1F8
Device \Driver\usbuhci \Device\USBPDO-1 820EA1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 822901F8
Device \Driver\dmio \Device\DmControl\DmConfig 822901F8
Device \Driver\dmio \Device\DmControl\DmPnP 822901F8
Device \Driver\dmio \Device\DmControl\DmInfo 822901F8
Device \Driver\PCI_PNP2560 \Device\00000049 spph.sys
Device \Driver\PCI_PNP2560 \Device\00000049 spph.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8224A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8224A1F8
Device \Driver\Cdrom \Device\CdRom0 820EE1F8
Device \Driver\Cdrom \Device\CdRom1 820EE1F8
Device \Driver\atapi \Device\Ide\IdePort0 822491F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 822491F8
Device \Driver\atapi \Device\Ide\IdePort1 822491F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 822491F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 81F161F8
Device \Driver\NetBT \Device\NetbiosSmb 81F161F8
Device \Driver\usbuhci \Device\USBFDO-0 820EA1F8
Device \Driver\usbuhci \Device\USBFDO-1 820EA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81EF51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 81EF51F8
Device \Driver\Ftdisk \Device\FtControl 8224A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FB3B526E-A3F4-4023-B9FF-7CCFB2ACC15F} 81F161F8
Device \Driver\ag1f5b34 \Device\Scsi\ag1f5b341 820B1500
Device \Driver\ag1f5b34 \Device\Scsi\ag1f5b341Port2Path0Target0Lun0 820B1500
Device \Driver\sptd \Device\1718273856 spph.sys
Device \FileSystem\Cdfs \Cdfs 8202B1F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAD 0xBB 0xE2 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x06 0xE1 0xFB 0x84 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x68 0xAC 0x23 0xAF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAD 0xBB 0xE2 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x06 0xE1 0xFB 0x84 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x68 0xAC 0x23 0xAF ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 59
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- EOF - GMER 1.0.14 ----
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


---------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:36 AM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0722906597
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 9298 bytes
---------------------------------------------------------------------------------------------------------------------------------------------------

My computer was freezing during dr web cure it scan.
I had a previous log for web cure it but, it's too big the log cannot post in bleeping computer, sorry for inconvenient.
yeakyau
Regular Member
 
Posts: 149
Joined: July 4th, 2006, 6:02 am
Location: Penang

Re: Help! After remove the Virus 2009 lab

Unread postby silver » October 27th, 2008, 4:26 am

Hi,

Sorry to hear you are having more trouble with Dr Web, did the latest run detect anything?

I need to get an online scan, so please try Eset:

Open the ESET Online Scanner in Internet Explorer
  • Tick the box next to YES, I accept the Terms of Use. and click Start
  • Allow the ActiveX control to be installed by Internet Explorer
  • Once the ActiveX has finished loading click Start to initialize and update the scanner
  • When the Computer scan screen appears, leave Remove found threats UN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.
  • Once complete and the summary page appears, press Start->Run, copy/paste the following command into the box and press OK:
    notepad "C:\Program Files\EsetOnlineScanner\log.txt"
  • The log file should now appear in Notepad, copy and paste the contents in your next response.

Once complete, please post the Eset report and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 416 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware