WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Virus infected! Hep with this HijackThis log

Started by zelgheimer , Apr 14 2008 09:00 PM

This topic is locked

11 replies to this topic

#1 zelgheimer

New Member

New Member
5 posts

Posted 14 April 2008 - 09:00 PM

windows XP is infected with unkoen virus, lots of automatic Ad pop-ups. Spybot, Ad-Aware 07 and McAfee failed to kill. Seems safe mode is damaged too.
Here is the Hijackthis log, please HELP! Thanks!
------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:22 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Common Files\VideoMate\ComproScheduler.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\shengsheng\Desktop\hijackThis\HiJackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: TweakYC.lnk = ?
O4 - Global Startup: ComproScheduler.lnk = ?
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6755 bytes

Advertisements

Register to Remove

#2 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 17 April 2008 - 01:36 PM

Hi, and Welcome to WhatTheTech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 17 April 2008 - 02:34 PM

Hi

We need to temporarily disable your real time scanners as they may interfere with the tools we are going to run.

Disable McAfee Anit-Virus
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image

sign.

Right-click it -> chose "Exit."
A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

Thanks.

Proud Graduate of the TC/WTT Classroom

#4 zelgheimer

New Member

New Member
5 posts

Posted 17 April 2008 - 06:58 PM

Hi jpshortstuff,

Thanks a lot for your help.

All your instructions work well, except for disable MaAfee, when I Right-click the McAfee icon in the sytem tray, there is no "Exit" I can choose, so I opened the MAfee security Center, and manually turned almost every "On" to "OFF".

I put all the three logs below. Please let me know if anything I need to do next.
Thank you again.

1. ComboFix log:
********************************************************************************
******************************
ComboFix 08-04-16.5 - shengsheng 2008-04-17 20:29:05.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.422 [GMT -4:00]
Running from: C:\Documents and Settings\shengsheng\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\aconti.exe
C:\WINDOWS\BM51d57a5e.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\hotporn.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\drivers\dmioo.sys
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\users32.da_
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\x3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMIOO
-------\Service_dmioo

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-14 21:13 . 2008-04-14 21:13 <DIR> d-------- C:\Microsoft
2008-04-13 01:34 . 2008-04-13 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 18:23 . 2008-04-15 08:23 355 --a------ C:\WINDOWS\wininit.ini
2008-04-12 12:13 . 2004-08-10 20:00 4,224 --a------ C:\WINDOWS\system32\drivers\Copy of beep_bak_sz.sys
2008-04-12 11:35 . 2008-04-17 20:35 5,056 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-12 11:24 . 2008-04-12 11:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-12 11:20 . 2008-04-12 11:20 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-12 11:20 . 2008-04-12 11:20 <DIR> d-------- C:\Documents and Settings\shengsheng\Application Data\SiteAdvisor
2008-04-12 11:19 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-12 11:19 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-12 11:19 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-12 11:19 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-12 11:19 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-12 11:17 . 2008-04-12 11:17 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-12 11:11 . 2008-04-12 11:11 <DIR> d-------- C:\Documents and Settings\Min\Application Data\SiteAdvisor
2008-04-12 10:16 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-12 10:13 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-12 10:11 . 2008-04-12 10:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-11 21:45 . 2008-04-11 21:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-10 15:06 . 2008-04-10 15:06 <DIR> d-------- C:\Program Files\Real
2008-04-10 15:06 . 2008-04-10 15:06 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-10 15:05 . 2008-04-10 15:06 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-10 15:04 . 2008-04-10 15:04 <DIR> d-------- C:\Program Files\Google
2008-04-09 03:02 . 2008-04-09 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-03 20:16 . 2008-04-03 20:16 <DIR> d-------- C:\Program Files\NRJ
2008-03-25 23:15 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-25 23:15 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-25 23:15 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-25 23:15 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-25 23:15 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-25 23:15 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-25 23:15 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-25 23:15 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-25 23:15 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-25 22:27 . 2008-03-26 21:57 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-03-25 20:54 . 2008-03-25 20:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-25 20:39 . 2008-03-25 20:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 19:52 . 2008-03-25 19:52 19,844 --a------ C:\Program Files\Common Files\inytine.reg
2008-03-25 19:52 . 2008-03-25 19:52 17,995 --a------ C:\Program Files\Common Files\vucegif.reg
2008-03-25 19:52 . 2008-03-25 19:52 17,814 --a------ C:\Program Files\Common Files\fodydik.bin
2008-03-25 19:52 . 2008-03-25 19:52 16,305 --a------ C:\Documents and Settings\Min\Application Data\buquzipo.sys
2008-03-25 19:52 . 2008-03-25 19:52 15,376 --a------ C:\Documents and Settings\Min\Application Data\rucog.dat
2008-03-25 19:52 . 2008-03-25 19:52 15,012 --a------ C:\Program Files\Common Files\amop.reg
2008-03-25 19:04 . 2008-03-25 19:05 <DIR> d-------- C:\Documents and Settings\Min\Application Data\Lavasoft
2008-03-24 19:50 . 2008-03-25 07:26 1,578,159 ---hs---- C:\WINDOWS\system32\dxjpsmdl.ini
2008-03-23 19:15 . 2008-03-24 19:47 1,543,366 ---hs---- C:\WINDOWS\system32\ioofkrci.ini
2008-03-23 18:26 . 2008-03-23 18:26 <DIR> d--hs---- C:\FOUND.009
2008-03-22 19:25 . 2008-03-23 08:47 1,543,462 ---hs---- C:\WINDOWS\system32\yjbtwevy.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 12:29 25,773 ----a-w C:\WINDOWS\system32\drivers\regguard.sys
2008-03-25 23:52 16,747 ----a-w C:\Program Files\Common Files\vire.db
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-03 05:02 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-03 05:02 --------- d-----w C:\Documents and Settings\Vivian\Application Data\SUPERAntiSpyware.com
2008-03-03 00:00 0 ----a-w C:\Documents and Settings\shengsheng\dhtnodes.dat
2008-03-02 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-18 02:33 --------- d-----w C:\Program Files\Sensky Active Messenger
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
.

------- Sigcheck -------

2007-10-30 12:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-12-08 20:03 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 15,360 2004-08-11 00:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-11 00:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 59,392 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
----a-w 59,392 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

----a-w 455,168 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

----a-w 208,952 2004-08-11 00:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-11 00:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

----a-w 64,512 2005-08-05 17:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 17:56:34 C:\WINDOWS\ehome\ehtray.exe

----a-w 90,112 2004-08-27 23:22:38 C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe

----a-w 45,056 2006-01-02 21:41:22 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe

----a-w 53,248 2006-04-15 02:35:14 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Realtek\InstallShield\azmixersel.exe

----a-r 313,472 2006-03-30 20:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager.exe

----a-w 45,056 2005-05-11 21:15:08 C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\bak\ntiMUI.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntimui.exe

----a-w 761,946 2006-03-03 17:07:38 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 602,112 2006-06-23 10:59:02 C:\Program Files\Launch Manager\bak\LManager.exe

----a-w 21,464 2006-12-12 18:45:50 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Zune\zunelauncher.exe

----a-w 1,200,128 2005-11-15 23:44:14 C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

----a-w 31,016 2006-10-27 04:47:42 C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Microsoft Office\Office12\groovemonitor.exe

----a-w 204,800 2006-03-31 20:39:28 C:\Acer\Empowering Technology\ePresentation\bak\ePresentation.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Acer\Empowering Technology\ePresentation\epresentation.exe

----a-w 421,888 2006-05-30 16:11:56 C:\Acer\Empowering Technology\ePower\bak\ePower_DMC.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Acer\Empowering Technology\ePower\epower_dmc.exe

----a-w 579,584 2006-03-16 02:12:24 C:\Acer\Empowering Technology\ePower\bak\Boot.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Acer\Empowering Technology\ePower\boot.exe

----a-w 413,696 2006-06-01 18:40:54 C:\Acer\Empowering Technology\eRecovery\bak\eRAgent.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-11 19:52 120320]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-11 19:52 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 23:27 16207872 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [ ]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-11 19:52 185896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 11:37:58 45056]
TweakYC.lnk - C:\Program Files\VideoMate\ComproPVR 2\TweakYC.exe [2006-11-28 22:31:54 512000]
ComproScheduler.lnk - C:\Program Files\Common Files\VideoMate\ComproScheduler.exe [2006-11-28 22:32:00 65536]
ComproRemote.lnk - C:\Program Files\Common Files\VideoMate\ComproRemote.exe [2006-11-28 22:32:00 139264]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\CTerm\\CTerm.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S3 GT680xNT;Visioneer OneTouch 7300 Driver;C:\WINDOWS\system32\drivers\gt680x.sys [2003-08-29 13:12]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-31 08:29]
S3 TridVid;VideoMate U880/U900;C:\WINDOWS\system32\DRIVERS\VMTiny.sys [2005-06-13 15:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 15:18:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-04-15 05:00:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 20:36:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~2.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\ACER\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
C:\WINDOWS\EHOME\EHRECVR.EXE
C:\WINDOWS\EHOME\EHSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\HACKERWATCH\HWAPI.EXE
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCODS.EXE
C:\PROGRAM FILES\MCAFEE\MSC\MCPROMGR.EXE
C:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\EHOME\MCRDSVC.EXE
C:\WINDOWS\SYSTEM32\DLLHOST.EXE
C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\EHOME\EHMSAS.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRAM FILES\MCAFEE\MSC\MCUIMGR.EXE
.
**************************************************************************
.
Completion time: 2008-04-17 20:38:32 - machine was rebooted
ComboFix2.txt 2007-08-04 16:15:52
ComboFix-quarantined-files.txt 2008-04-18 00:38:26

Pre-Run: 23,776,985,088 bytes free
Post-Run: 24,413,241,344 bytes free
.
2008-04-12 14:20:16 --- E O F ---

********************************************************************************
******
2. hijackThis log:
********************************************************************************
*******
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:28 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Common Files\VideoMate\ComproScheduler.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\shengsheng\Desktop\hijackThis\HiJackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: TweakYC.lnk = ?
O4 - Global Startup: ComproScheduler.lnk = ?
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 7069 bytes

********************************************************************************
******
3.uninstall_list log:
********************************************************************************
*******
Acer Empowering Technology
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer OrbiCam
Acer Screensaver
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Cherry Hill CD v. 1.1
ComproDVD 2
ComproPVR 2
CutePDF Writer 2.7
GemMaster Mystic
Google Desktop Search
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Grabber2k v0.99e
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Launch Manager
McAfee SecurityCenter
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN
MSXML 6.0 Parser (KB933579)
Netflix Movie Viewer
NTI Backup NOW! 4
NTI CD & DVD-Maker
Otto
PowerDVD
PowerProducer
PPLive 1.9
RealPlayer
Realtek High Definition Audio Driver
sdunload
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
SmartSoft Video Converter
SMSC IrCC V5.1.3600.7
Soft Data Fax Modem with SmartCP
Sonic Encoders
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Ulead Disc-Direct SDK
Ulead Photo Explorer 8.5 SE
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb949037)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoMate U880/U900 Driver
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
Zune

#5 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 18 April 2008 - 06:01 PM

Hi

There are a few programs that have components that have been infected. For this reason, I strongly recommend that you uninstall these programs now, so that we can rid your machine of the infected files. You can then re-install the programs once we have cleaned your machine.

Please click Start >> Control Panel >> Add or Remove Programs.
Find each of the below items on the list and click remove on each one.
Google Desktop Search
Google Toolbar for Internet Explorer
RealPlayer

Please disable McAfee as you did before.

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\Common Files\inytine.reg
C:\Program Files\Common Files\vucegif.reg
C:\Program Files\Common Files\fodydik.bin
C:\Documents and Settings\Min\Application Data\buquzipo.sys
C:\Documents and Settings\Min\Application Data\rucog.dat
C:\Program Files\Common Files\amop.reg
C:\WINDOWS\system32\dxjpsmdl.ini
C:\WINDOWS\system32\ioofkrci.ini
C:\WINDOWS\system32\yjbtwevy.ini
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

FileLook::
eLock2BurnerLockDriver.sys
eLock2FSCTLDriver.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTraySD"=-
"SDAutoLiveupdate"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

FindAWF

Click here to download FindAWF.exe and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
Copy and paste the contents of the AWF.txt file in your next reply.

We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\drivers\beep.sys

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Thanks.

Proud Graduate of the TC/WTT Classroom

#6 zelgheimer

New Member

New Member
5 posts

Posted 18 April 2008 - 08:13 PM

Hi jpshotstuff,

Thanks a lot for your help.
Here are all logs, please let me know anything else I need to do.

**********************
1. Combofix.txt
**********************

ComboFix 08-04-16.5 - shengsheng 2008-04-18 21:40:35.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.514 [GMT -4:00]
Running from: C:\Documents and Settings\shengsheng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\shengsheng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Min\Application Data\buquzipo.sys
C:\Documents and Settings\Min\Application Data\rucog.dat
C:\Program Files\Common Files\amop.reg
C:\Program Files\Common Files\fodydik.bin
C:\Program Files\Common Files\inytine.reg
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\vucegif.reg
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dxjpsmdl.ini
C:\WINDOWS\system32\ioofkrci.ini
C:\WINDOWS\system32\yjbtwevy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Min\Application Data\buquzipo.sys
C:\Documents and Settings\Min\Application Data\rucog.dat
C:\Documents and Settings\Min\Local Settings\Temporary Internet Files\ajaqyhoh.db
C:\Documents and Settings\Min\Local Settings\Temporary Internet Files\ezoru.dll
C:\Program Files\Common Files\amop.reg
C:\Program Files\Common Files\fodydik.bin
C:\Program Files\Common Files\inytine.reg
C:\Program Files\Common Files\vucegif.reg
C:\WINDOWS\system32\dxjpsmdl.ini
C:\WINDOWS\system32\ioofkrci.ini
C:\WINDOWS\system32\yjbtwevy.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-14 21:13 . 2008-04-14 21:13 <DIR> d-------- C:\Microsoft
2008-04-13 01:34 . 2008-04-13 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 18:23 . 2008-04-15 08:23 355 --a------ C:\WINDOWS\wininit.ini
2008-04-12 12:13 . 2004-08-10 20:00 4,224 --a------ C:\WINDOWS\system32\drivers\Copy of beep_bak_sz.sys
2008-04-12 11:35 . 2008-04-18 21:37 5,422 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-12 11:24 . 2008-04-12 11:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-12 11:20 . 2008-04-12 11:20 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-12 11:20 . 2008-04-12 11:20 <DIR> d-------- C:\Documents and Settings\shengsheng\Application Data\SiteAdvisor
2008-04-12 11:19 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-12 11:19 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-12 11:19 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-12 11:19 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-12 11:19 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-12 11:17 . 2008-04-12 11:17 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-12 11:11 . 2008-04-12 11:11 <DIR> d-------- C:\Documents and Settings\Min\Application Data\SiteAdvisor
2008-04-12 10:16 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-12 10:13 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-12 10:11 . 2008-04-12 10:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-11 21:45 . 2008-04-11 21:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-10 15:05 . 2008-04-10 15:06 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-10 15:04 . 2008-04-10 15:04 <DIR> d-------- C:\Program Files\Google
2008-04-09 03:02 . 2008-04-09 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-03 20:16 . 2008-04-03 20:16 <DIR> d-------- C:\Program Files\NRJ
2008-03-25 23:15 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-25 23:15 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-25 23:15 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-25 23:15 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-25 23:15 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-25 23:15 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-25 23:15 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-25 23:15 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-25 23:15 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-25 22:27 . 2008-03-26 21:57 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-03-25 20:54 . 2008-03-25 20:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-25 20:39 . 2008-03-25 20:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 19:04 . 2008-03-25 19:05 <DIR> d-------- C:\Documents and Settings\Min\Application Data\Lavasoft
2008-03-23 18:26 . 2008-03-23 18:26 <DIR> d--hs---- C:\FOUND.009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 12:29 25,773 ----a-w C:\WINDOWS\system32\drivers\regguard.sys
2008-03-25 23:52 16,747 ----a-w C:\Program Files\Common Files\vire.db
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-03 05:02 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-03 05:02 --------- d-----w C:\Documents and Settings\Vivian\Application Data\SUPERAntiSpyware.com
2008-03-03 00:00 0 ----a-w C:\Documents and Settings\shengsheng\dhtnodes.dat
2008-03-02 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

------- Sigcheck -------

2007-10-30 12:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-12-08 20:03 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-17_20.37.45.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 00:35:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 14:17:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 14:17:24 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_3b4.dat
+ 2008-04-18 16:26:08 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_8a0.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 15,360 2004-08-11 00:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-11 00:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 59,392 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
----a-w 59,392 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

----a-w 455,168 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-11 00:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

----a-w 208,952 2004-08-11 00:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-11 00:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

----a-w 64,512 2005-08-05 17:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 17:56:34 C:\WINDOWS\ehome\ehtray.exe

----a-w 90,112 2004-08-27 23:22:38 C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe

----a-w 45,056 2006-01-02 21:41:22 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe

----a-w 53,248 2006-04-15 02:35:14 C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Realtek\InstallShield\azmixersel.exe

----a-r 313,472 2006-03-30 20:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager.exe

----a-w 45,056 2005-05-11 21:15:08 C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\bak\ntiMUI.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntimui.exe

----a-w 761,946 2006-03-03 17:07:38 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 602,112 2006-06-23 10:59:02 C:\Program Files\Launch Manager\bak\LManager.exe

----a-w 21,464 2006-12-12 18:45:50 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Zune\zunelauncher.exe

----a-w 1,200,128 2005-11-15 23:44:14 C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

----a-w 31,016 2006-10-27 04:47:42 C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Program Files\Microsoft Office\Office12\groovemonitor.exe

----a-w 204,800 2006-03-31 20:39:28 C:\Acer\Empowering Technology\ePresentation\bak\ePresentation.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Acer\Empowering Technology\ePresentation\epresentation.exe

----a-w 421,888 2006-05-30 16:11:56 C:\Acer\Empowering Technology\ePower\bak\ePower_DMC.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Acer\Empowering Technology\ePower\epower_dmc.exe

----a-w 579,584 2006-03-16 02:12:24 C:\Acer\Empowering Technology\ePower\bak\Boot.exe
----a-w 14,348 2008-04-04 02:21:34 C:\Acer\Empowering Technology\ePower\boot.exe

----a-w 413,696 2006-06-01 18:40:54 C:\Acer\Empowering Technology\eRecovery\bak\eRAgent.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 23:27 16207872 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 11:37:58 45056]
TweakYC.lnk - C:\Program Files\VideoMate\ComproPVR 2\TweakYC.exe [2006-11-28 22:31:54 512000]
ComproScheduler.lnk - C:\Program Files\Common Files\VideoMate\ComproScheduler.exe [2006-11-28 22:32:00 65536]
ComproRemote.lnk - C:\Program Files\Common Files\VideoMate\ComproRemote.exe [2006-11-28 22:32:00 139264]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\CTerm\\CTerm.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S3 GT680xNT;Visioneer OneTouch 7300 Driver;C:\WINDOWS\system32\drivers\gt680x.sys [2003-08-29 13:12]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-31 08:29]
S3 TridVid;VideoMate U880/U900;C:\WINDOWS\system32\DRIVERS\VMTiny.sys [2005-06-13 15:58]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 15:18:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-04-15 05:00:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 21:42:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-04-18 21:43:42
ComboFix3.txt 2007-08-04 16:15:52
ComboFix-quarantined-files.txt 2008-04-19 01:43:38
ComboFix2.txt 2008-04-18 00:38:34

Pre-Run: 28,146,860,032 bytes free
Post-Run: 28,173,533,184 bytes free
.
2008-04-12 14:20:16 --- E O F ---

*************************
2. hijackThis.log
*************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:26 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Common Files\VideoMate\ComproScheduler.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\shengsheng\Desktop\hijackThis\HiJackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: TweakYC.lnk = ?
O4 - Global Startup: ComproScheduler.lnk = ?
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 5881 bytes

*******************
3. AWF.txt
*******************

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 04/18/2008
The current time is: 21:52:39.51

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 08:00 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 01:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LAUNCH~1\BAK

06/23/2006 06:59 AM 602,112 LManager.exe
1 File(s) 602,112 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

12/12/2006 02:45 PM 21,464 ZuneLauncher.exe
1 File(s) 21,464 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

11/15/2005 07:44 PM 1,200,128 wcescomm.exe
1 File(s) 1,200,128 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/10/2004 08:00 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

01/02/2006 05:41 PM 45,056 cli.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\REALTEK\INSTAL~1\BAK

04/14/2006 10:35 PM 53,248 AzMixerSel.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\NEWTEC~1\NTICD&~1\BAK

05/11/2005 05:15 PM 45,056 ntiMUI.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

03/03/2006 01:07 PM 761,946 SynTPEnh.exe
1 File(s) 761,946 bytes

Directory of C:\PROGRA~1\MICROS~3\OFFICE12\BAK

10/27/2006 12:47 AM 31,016 GrooveMonitor.exe
1 File(s) 31,016 bytes

Directory of C:\ACER\EMPOWE~1\EPRESE~1\BAK

03/31/2006 04:39 PM 204,800 ePresentation.exe
1 File(s) 204,800 bytes

Directory of C:\ACER\EMPOWE~1\EPOWER\BAK

03/15/2006 10:12 PM 579,584 Boot.exe
05/30/2006 12:11 PM 421,888 ePower_DMC.exe
2 File(s) 1,001,472 bytes

Directory of C:\ACER\EMPOWE~1\ERECOV~1\BAK

06/01/2006 02:40 PM 413,696 eRAgent.exe
1 File(s) 413,696 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/10/2004 08:00 PM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/10/2004 08:00 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK

08/27/2004 07:22 PM 90,112 monitor.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
602112 Jun 23 2006 "C:\Program Files\Launch Manager\bak\LManager.exe"
14348 Apr 3 2008 "C:\Program Files\Zune\zunelauncher.exe"
21464 Dec 12 2006 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
14348 Apr 3 2008 "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
1200128 Nov 15 2005 "C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
208952 Aug 10 2004 "C:\WINDOWS\ime\imjp8_1\imjpmig.exe"
208952 Aug 10 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
45056 Jan 2 2006 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
14348 Apr 3 2008 "C:\Program Files\Realtek\InstallShield\azmixersel.exe"
53248 Apr 14 2006 "C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe"
14348 Apr 3 2008 "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntimui.exe"
45056 May 11 2005 "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\bak\ntiMUI.exe"
761946 Mar 3 2006 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
761946 Mar 3 2006 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
65824 Oct 27 2006 "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
31016 Oct 27 2006 "C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe"
81920 Jan 26 2006 "C:\Acer\Empowering Technology\ePresentation\ePresentationLauncher.exe"
204800 Mar 31 2006 "C:\Acer\Empowering Technology\ePresentation\bak\ePresentation.exe"
14348 Apr 3 2008 "C:\Acer\Empowering Technology\ePower\epower_dmc.exe"
421888 May 30 2006 "C:\Acer\Empowering Technology\ePower\bak\ePower_DMC.exe"
14348 Apr 3 2008 "C:\Acer\Empowering Technology\ePower\boot.exe"
579584 Mar 15 2006 "C:\Acer\Empowering Technology\ePower\bak\Boot.exe"
413696 Jun 1 2006 "C:\Acer\Empowering Technology\eRecovery\bak\eRAgent.exe"
59392 Aug 10 2004 "C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe"
59392 Aug 10 2004 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 10 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 10 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
90112 Aug 27 2004 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe"
14348 Apr 3 2008 "C:\Program Files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"

end of report

************************
4. Jotti results: all found nothing
************************

Scan taken on 19 Apr 2008 02:01:07 (GMT)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#7 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 20 April 2008 - 10:48 AM

Hi

Please disable McAfee again, as you have done previously.

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\Copy of beep_bak_sz.sys

Folder::
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\IME\PINTLGNT\bak
C:\WINDOWS\system32\IME\TINTLGNT\bak
C:\WINDOWS\ime\imjp8_1\bak
C:\WINDOWS\ehome\bak

AWF::
C:\Program Files\Zune\bak\ZuneLauncher.exe
C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe
C:\Program Files\Realtek\InstallShield\bak\AzMixerSel.exe
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\bak\ntiMUI.exe
C:\Acer\Empowering Technology\ePower\bak\ePower_DMC.exe
C:\Acer\Empowering Technology\ePower\bak\Boot.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe
C:\Acer\Empowering Technology\ePresentation\bak\ePresentation.exe

Driver::
eLock2BurnerLockDriver
eLock2FSCTLDriver

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Please do an online scan with Kaspersky WebScanner

Follow this link in Internet Explorer (Note: You must use Internet explorer to use Kaspersky): Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
Save the file to your desktop.

Please post the results of the Kaspersky scan in your next reply. Also, please give a detailed description of how your computer is running and behaving at the moment, listing any remaining problems.

Thanks.

Proud Graduate of the TC/WTT Classroom

#8 zelgheimer

New Member

New Member
5 posts

Posted 21 April 2008 - 10:50 PM

Thanks a lot for the instruction.
I do not see any pop-ups now. But the Kaspersky scan still claims lots of viruses and infected files.
Here are the logs:

***************************
1. combofix.log
***************************
ComboFix 08-04-16.5 - shengsheng 2008-04-21 22:42:28.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.471 [GMT -4:00]
Running from: C:\Documents and Settings\shengsheng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\shengsheng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\Copy of beep_bak_sz.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ehome\bak
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\ime\imjp8_1\bak
C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\drivers\Copy of beep_bak_sz.sys
C:\WINDOWS\system32\IME\PINTLGNT\bak
C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
C:\WINDOWS\system32\IME\TINTLGNT\bak
C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ELOCK2BURNERLOCKDRIVER
-------\Legacy_ELOCK2FSCTLDRIVER
-------\Service_eLock2BurnerLockDriver
-------\Service_eLock2FSCTLDriver

((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-14 21:13 . 2008-04-14 21:13 <DIR> d-------- C:\Microsoft
2008-04-13 01:34 . 2008-04-13 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 18:23 . 2008-04-15 08:23 355 --a------ C:\WINDOWS\wininit.ini
2008-04-12 11:35 . 2008-04-21 22:46 5,422 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-12 11:24 . 2008-04-12 11:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-12 11:20 . 2008-04-12 11:20 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-12 11:20 . 2008-04-12 11:20 <DIR> d-------- C:\Documents and Settings\shengsheng\Application Data\SiteAdvisor
2008-04-12 11:19 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-12 11:19 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-12 11:19 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-12 11:19 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-12 11:19 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-12 11:17 . 2008-04-12 11:17 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-12 11:11 . 2008-04-12 11:11 <DIR> d-------- C:\Documents and Settings\Min\Application Data\SiteAdvisor
2008-04-12 10:16 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-12 10:13 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-12 10:11 . 2008-04-12 10:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-11 21:45 . 2008-04-11 21:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-10 15:05 . 2008-04-10 15:06 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-10 15:04 . 2008-04-10 15:04 <DIR> d-------- C:\Program Files\Google
2008-04-09 03:02 . 2008-04-09 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-03 20:16 . 2008-04-03 20:16 <DIR> d-------- C:\Program Files\NRJ
2008-03-25 23:15 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-25 23:15 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-25 23:15 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-25 23:15 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-25 23:15 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-25 23:15 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-25 23:15 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-25 23:15 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-25 23:15 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-25 22:27 . 2008-03-26 21:57 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-03-25 20:54 . 2008-03-25 20:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-25 20:39 . 2008-03-25 20:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 19:04 . 2008-03-25 19:05 <DIR> d-------- C:\Documents and Settings\Min\Application Data\Lavasoft
2008-03-23 18:26 . 2008-03-23 18:26 <DIR> d--hs---- C:\FOUND.009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 12:29 25,773 ----a-w C:\WINDOWS\system32\drivers\regguard.sys
2008-03-25 23:52 16,747 ----a-w C:\Program Files\Common Files\vire.db
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-03 05:02 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-03 05:02 --------- d-----w C:\Documents and Settings\Vivian\Application Data\SUPERAntiSpyware.com
2008-03-03 00:00 0 ----a-w C:\Documents and Settings\shengsheng\dhtnodes.dat
2008-03-02 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

------- Sigcheck -------

2007-10-30 12:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-12-08 20:03 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-17_20.37.45.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 00:35:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 02:45:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 02:46:02 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_90.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 23:27 16207872 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 11:37:58 45056]
TweakYC.lnk - C:\Program Files\VideoMate\ComproPVR 2\TweakYC.exe [2006-11-28 22:31:54 512000]
ComproScheduler.lnk - C:\Program Files\Common Files\VideoMate\ComproScheduler.exe [2006-11-28 22:32:00 65536]
ComproRemote.lnk - C:\Program Files\Common Files\VideoMate\ComproRemote.exe [2006-11-28 22:32:00 139264]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\CTerm\\CTerm.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S3 GT680xNT;Visioneer OneTouch 7300 Driver;C:\WINDOWS\system32\drivers\gt680x.sys [2003-08-29 13:12]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-31 08:29]
S3 TridVid;VideoMate U880/U900;C:\WINDOWS\system32\DRIVERS\VMTiny.sys [2005-06-13 15:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 15:18:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-04-15 05:00:16 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 22:46:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\ACER\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
C:\WINDOWS\EHOME\EHRECVR.EXE
C:\WINDOWS\EHOME\EHSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\HACKERWATCH\HWAPI.EXE
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCODS.EXE
C:\PROGRAM FILES\MCAFEE\MSC\MCPROMGR.EXE
C:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\EHOME\MCRDSVC.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
C:\WINDOWS\SYSTEM32\DLLHOST.EXE
C:\WINDOWS\EHOME\EHMSAS.EXE
C:\ACER\EMPOWERING TECHNOLOGY\EPOWER\EPOWER_DMC.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\McAfee\MSC\MCUIMGR.EXE
C:\WINDOWS\SYSTEM32\VERCLSID.EXE
.
**************************************************************************
.
Completion time: 2008-04-21 22:48:36 - machine was rebooted
ComboFix4.txt 2007-08-04 16:15:52
ComboFix-quarantined-files.txt 2008-04-22 02:48:32
ComboFix3.txt 2008-04-18 00:38:34
ComboFix2.txt 2008-04-19 01:43:44

Pre-Run: 27,990,982,656 bytes free
Post-Run: 28,041,281,536 bytes free
.
2008-04-12 14:20:16 --- E O F ---

***************************
2. Hijackthis.log
***************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:51 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Common Files\VideoMate\ComproScheduler.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\shengsheng\Desktop\hijackThis\HiJackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: TweakYC.lnk = ?
O4 - Global Startup: ComproScheduler.lnk = ?
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 5923 bytes

**********************
3. kaspersky report
**********************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 22, 2008 12:37:14 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/04/2008
Kaspersky Anti-Virus database records: 720686
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 71357
Number of viruses found: 8
Number of infected objects: 126
Number of suspicious objects: 6
Duration of the scan process: 01:08:47

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_90.dat Object is locked skipped
C:\WINDOWS\Temp\mcmsc_zQg7eAEo2ob4ANq Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_fa8.dat Object is locked skipped
C:\WINDOWS\Temp\mcafee_axkIDhrPzufH8kB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_UNTaCxJNjP252yk Object is locked skipped
C:\WINDOWS\Temp\mcafee_glPpLL10CcEK7Vg Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0094B911-6BE9-425B-AF1E-F418A524ADA9}.crmlog Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp23.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp23.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak1.zip/kvnab.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip/wbeCheck.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\shengsheng\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\shengsheng\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Temp\~DF288C.tmp Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Temp\Perflib_Perfdata_c2c.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Application Data\ApplicationHistory\Acer.Empowering.Framework.Launcher.exe.7c55249b.ini.inuse Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\shengsheng\Desktop\hijackThis\backups\backup-20080303-011419-903.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\shengsheng\Desktop\hijackThis\backups\backup-20080303-011419-169.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\shengsheng\Desktop\hijackThis\backups\backup-20080303-011458-922.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\shengsheng\Desktop\hijackThis\backups\backup-20080303-011546-198.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\shengsheng\Desktop\hijackThis\backups\backup-20080303-011608-977.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\shengsheng\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040818.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040819.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040821.EXE Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040822.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040823.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040827.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040828.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040829.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040830.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040831.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040832.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040833.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040834.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP323\A0040835.exe Infected: Trojan.Win32.KillAV.on skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP324\A0040874.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP336\A0041554.exe Infected: not-virus:Hoax.Win32.Renos.ayn skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP338\A0042580.exe Infected: not-virus:Hoax.Win32.Renos.ayn skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP339\A0043682.DLL Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP340\A0043691.EXE Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP340\A0043692.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP340\A0043693.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP340\A0043694.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP340\A0043695.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP344\A0043853.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.b skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044174.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044175.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044176.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044179.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044180.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044181.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044182.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044183.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP346\A0044184.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP364\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP365\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP366\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP367\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044825.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044826.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044827.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044828.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044829.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044830.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044831.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044832.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP368\A0044833.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP370\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP371\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.dyu skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP380\A0048111.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP381\A0048125.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP381\A0048137.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048654.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048655.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048656.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048657.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048658.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048659.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048660.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048661.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\A0048662.exe Infected: Trojan.Win32.Patched.bz skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\change.log Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\581779914.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\QooBox\Quarantine\C\Program Files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft Office\Office12\groovemonitor.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntimui.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Program Files\Realtek\InstallShield\azmixersel.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Program Files\Zune\zunelauncher.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Acer\Empowering Technology\ePower\boot.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Acer\Empowering Technology\ePower\epower_dmc.exe.vir Infected: Trojan.Win32.Patched.bz skipped
C:\QooBox\Quarantine\C\Acer\Empowering Technology\ePresentation\epresentation.exe.vir Infected: Trojan.Win32.Patched.bz skipped
D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP385\change.log Object is locked skipped
D:\szhang\hijackThis\backups\backup-20080303-011419-903.dll Infected: Packed.Win32.Monder.gen skipped
D:\szhang\hijackThis\backups\backup-20080303-011419-169.dll Infected: Packed.Win32.Monder.gen skipped
D:\szhang\hijackThis\backups\backup-20080303-011458-922.dll Infected: Packed.Win32.Monder.gen skipped
D:\szhang\hijackThis\backups\backup-20080303-011546-198.dll Infected: Packed.Win32.Monder.gen skipped
D:\szhang\hijackThis\backups\backup-20080303-011608-977.dll Infected: Packed.Win32.Monder.gen skipped

Scan process completed.

#9 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 22 April 2008 - 10:29 AM

Hi zelgheimer

Log looks good :thumbup:

All the items on the Kaspersky log will be taken care of in this post. None of them pose a threat, they are all either backups made by the tools we have been using, or located in your System Restore partition, which will be cleaned during this process.

Open Spybot S&D and click on the Recovery button. In the box labeled "Backups", select everything and then click on Purge selected items at the top.
Click Yes at the prompt.

Locate and delete the following folders:
D:\szhang\hijackThis <<FOLDER
C:\Documents and Settings\shengsheng\Desktop\hijackThis<<FOLDER

Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use.

Now that your system appears to be clean, theres just a few steps I'd like you to take to prevent any future infections.

Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:

SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
Freely available: Download SpywareBlaster

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#10 zelgheimer

New Member

New Member
5 posts

Posted 23 April 2008 - 07:57 PM

Hi jpshortstuff, Done. No pop-ups anymore. Thank you VERY MUCH for all your help and instructions.

#11 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 24 April 2008 - 12:37 AM

No problem, glad we could help

Proud Graduate of the TC/WTT Classroom

#12 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 24 April 2008 - 08:41 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

Body Background

skin color theme