Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91736 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Aware agent.BN kill and return


  • This topic is locked This topic is locked
40 replies to this topic

#1 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 02 May 2008 - 12:01 PM

Hi,

I've been infected with Adware.Agent.BN.
Tried to remove it with Spyware Doctor, but it returns.

here is the HickjackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:50 AM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SogouInput\ImeUtil.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\gigi\Desktop\hijackthis.exe

O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\Flashget\ComDlls\bhoCATCH.dll
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\WINDOWS\system32\SSup.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live μ?????3D - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: DVA Gate - {DB9D1BB8-3615-48A6-BF50-5CB45AB28230} - C:\WINDOWS\gndarmblaor.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: wxdbpfvo - {E1B2B64B-E123-4A7A-98D7-C51065DF3249} - C:\WINDOWS\wxdbpfvo.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows木马防火墙] C:\Documents and Settings\gigi\Desktop\rj07091004\112777_Windows?????μ 8[1].8??????¢2?y???\www.asp1.com.cn\ftcsetup\Trojanwall.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dell DataSafe Scheduler] "C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VirusIsolator.exe] C:\Program Files\VirusIsolator\VirusIsolator.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O21 - SSODL: qadovnel - {9E95F92C-5707-4860-A38A-42ED99A719A1} - C:\WINDOWS\qadovnel.dll
O21 - SSODL: bdkpfxqw - {4F5963B1-99E5-4CD0-80CE-9EDDE131ACB9} - C:\WINDOWS\bdkpfxqw.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 11113 bytes








at the same time, I cant open any web with IE7

100_0991.JPG





please help me step by step, Thanks :thumbup:

    Advertisements

Register to Remove


#2 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 02 May 2008 - 01:18 PM

Hi, and Welcome to WhatTheTech :)

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 02 May 2008 - 03:45 PM

thank u so much :thumbup: I'm waiting for ur help~~~

#4 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 02 May 2008 - 07:32 PM

Hi

Please download SmitfraudFix (by S!Ri), saving to your desktop.
Extract the contents of SmitFraudFix.exe to your desktop.

Open the SmitFraudFix folder on your desktop and double-click SmitfraudFix.cmd.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#5 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 02 May 2008 - 11:08 PM

result on SmitfraudFix
SmitFraudFix v2.319

Scan done at 22:04:55.56, 05/02/2008 Fri
Run from C:\Documents and Settings\gigi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

换换换换换换换换换换换换 Process


换换换换换换换换换换换换 hosts


换换换换换换换换换换换换 C:\


换换换换换换换换换换换换 C:\WINDOWS

C:\WINDOWS\qadovnel.dll FOUND !
C:\WINDOWS\spwoqbmv.exe FOUND !
C:\WINDOWS\xbaqktfv.exe FOUND !

换换换换换换换换换换换换 C:\WINDOWS\system


换换换换换换换换换换换换 C:\WINDOWS\Web


换换换换换换换换换换换换 C:\WINDOWS\system32


换换换换换换换换换换换换 C:\WINDOWS\system32\LogFiles


换换换换换换换换换换换换 C:\Documents and Settings\gigi


换换换换换换换换换换换换 C:\Documents and Settings\gigi\Application Data


换换换换换换换换换换换换 Start Menu


换换换换换换换换换换换换


换换换换换换换换换换换换 Desktop


换换换换换换换换换换换换 C:\Program Files


换换换换换换换换换换换换 Corrupted keys


换换换换换换换换换换换换 Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

换换换换换换换换换换换换 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


换换换换换换换换换换换换 VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: gndarmblaor.dll
BHO: DVA Gate - {DB9D1BB8-3615-48A6-BF50-5CB45AB28230}
TypeLib: {40CA3D09-9ABB-4038-967E-7B2933168902}
Interface: {4E493E24-27F2-4749-8F73-5E775A238EE3}
Interface: {F4626DC1-0AF5-433A-A016-9B9C35D5D405}

[!] Suspicious: wxdbpfvo.dll
Toolbar: wxdbpfvo - {E1B2B64B-E123-4A7A-98D7-C51065DF3249}
TypeLib: {2D61E3DA-5106-489B-8282-A28F1197CDD6}
Interface: {480B1A9B-6AC6-43D9-A6EF-4A9410F74426}
Classe: wxdbpfvo.btbv
Classe: wxdbpfvo.ToolBar.1

[!] Suspicious: qadovnel.dll
SSODL: qadovnel - {9E95F92C-5707-4860-A38A-42ED99A719A1}

[!] Suspicious: bdkpfxqw.dll
SSODL: bdkpfxqw - {4F5963B1-99E5-4CD0-80CE-9EDDE131ACB9}


换换换换换换换换换换换换 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


换换换换换换换换换换换换 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


换换换换换换换换换换换换 Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


换换换换换换换换换换换换 Rustock



换换换换换换换换换换换换 DNS



换换换换换换换换换换换换 Scanning for wininet.dll infection


换换换换换换换换换换换换 End




result on dss

extra
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
CPU 1: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 3069.97 MiB / 2270.57 MiB
Pagefile Memory (total/avail): 5978.61 MiB / 5169.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903 MiB

C: is Fixed (NTFS) - 109.21 GiB total, 59.63 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1246GSX - 111.79 GiB - 3 partitions
\PARTITION0 - Unknown - 78.41 MiB
\PARTITION1 (bootable) - Installable File System - 109.21 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 2.5 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"="C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"="C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Tencent\\QQDownload\\QQDownload.exe"="C:\\Program Files\\Tencent\\QQDownload\\QQDownload.exe:*:Enabled:超级旋风"
"C:\\Program Files\\Tencent\\QQDownload\\QDAutoUpdate.exe"="C:\\Program Files\\Tencent\\QQDownload\\QDAutoUpdate.exe:*:Enabled:AutoUpdate Module"
"C:\\Program Files\\FlashGet Network\\Flashget\\FlashGet.exe"="C:\\Program Files\\FlashGet Network\\Flashget\\FlashGet.exe:*:Enabled:Flashget2"
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdate.exe"="C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdate.exe:*:Enabled:FGLiveUpdate"
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"="C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe:*:Enabled:FGLiveUpdateEx"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"="C:\\Program Files\\Tencent\\QQ\\QQ.exe:*:Enabled:QQ"
"C:\\Program Files\\Tencent\\QQ\\QZone\\Qzone.exe"="C:\\Program Files\\Tencent\\QQ\\QZone\\Qzone.exe:*:Enabled:QzoneClient1.3Beta04 V01.3.104.021"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\StormII\\Storm.exe"="C:\\Program Files\\StormII\\Storm.exe:*:Enabled:暴风影音"
"C:\\Program Files\\StormII\\stormliv.exe"="C:\\Program Files\\StormII\\stormliv.exe:*:Enabled:暴风影音媒体控制中心"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"="C:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe:*:Enabled:Kingsoft PowerWord"
"C:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"="C:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe:*:Enabled:Kingsoft PowerWord Online Update"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\gigi\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DGY0LZF1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\gigi
LOGONSERVER=\\DGY0LZF1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\StormII\Codec;C:\Program Files\StormII
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\gigi\LOCALS~1\Temp
TMP=C:\DOCUME~1\gigi\LOCALS~1\Temp
USERDOMAIN=DGY0LZF1
USERNAME=gigi
USERPROFILE=C:\Documents and Settings\gigi
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

gigi (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{0F122737-72B2-4095-8B3E-7AAE753DFD3D}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{61E8B062-51F9-4BBB-B1FC-E2A4A40944F5}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\SETUP.EXE" -l0x9
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Advanced Audio FX Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 /remove
Advanced Video FX Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 /remove
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\UIU32m.exe -U -Idel000f5.INF
Dell Automated PC TuneUp --> MsiExec.exe /X{FE34691C-4298-4667-9758-D7F534DD0B94}
Dell DataSafe Online --> MsiExec.exe /I{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}
Dell Network Assistant --> MsiExec.exe /I{0240BDFB-2995-4A3F-8C96-18D41282B716}
Dell Resource CD --> MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Touchpad --> C:\Program Files\DellTPad\Uninstap.exe ADDREMOVE
Dell Webcam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x9 /remove
Dell Webcam Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x9 /remove
Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Digital Line Detect --> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
eMule VeryCD版 --> C:\Program Files\eMule\uninstall.exe
Encyclopaedia Britannica 2008 Ultimate Reference Suite --> "C:\Program Files\Britannica 8.0\Encyclopaedia Britannica 2008 Ultimate Reference Suite\Uninstall_Encyclopaedia Britannica 2008 Ultimate Reference Suite\Uninstall Encyclopaedia Britannica 2008 Ultimate Reference Suite.exe"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\gigi\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IntelliSonic Speech Enhancement --> MsiExec.exe /X{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Laptop Integrated Webcam Driver (1.03.02.0719) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script OEM002.uns -plugin OEM02Pin.dll -pluginres OEM02Pin.crl -nodisconprompt -langid 0x0409
Learning Essentials for Microsoft Office --> MsiExec.exe /X{75F3A4B2-F6E8-434D-A2EF-DBBC016C6CB2}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MediaDirect --> C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Math --> MsiExec.exe /I{07043840-959A-4B0D-8825-2C533F0DDB19}
Microsoft Student 2007 for Learning Essentials --> RunDll32.exe advpack.dll, LaunchINFSectionEx C:\Program Files\Learning Essentials\1.0\en\US\Microsoft Student 2007\Uninstall\Uninstall.inf,Uninstall,,,N
Microsoft Student with Encarta Premium 2008 --> MsiExec.exe /I{08041881-FCA5-44A7-B863-D66037A16AAF}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Modem Diagnostic Tool --> MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mouse Suite for Laptop Computers --> C:\Program Files\InstallShield Installation Information\{BF13AA9D-E4CE-4015-9778-ECC1D4FB06E4}\setup.exe -runfromtemp -l0x0009 -removeonly
Mozilla Firefox (3.0b5) --> C:\Program Files\Mozilla Firefox 3 Beta 5\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OutlookAddinSetup --> MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
Powerword 2007 --> "C:\Program Files\Kingsoft\Powerword 2007\unins000.exe"
QQ2007II 正式版 --> C:\Program Files\Tencent\QQ\uninst.exe
QQ游戏 --> C:\Program Files\Tencent\QQGame\Uninstall.EXE
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype? 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sogou Chinese Input 3.2 (3.2.0.0605) --> "C:\Program Files\SogouInput\Uninstall.exe"
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SOSO AddressBar Search --> Rundll32.exe C:\WINDOWS\system32\Scrax.dll,Uninstall
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Versal FileDownload ActiveX Control Trial Version --> C:\Program Files\Universal\UFileDownloadD\USetup.exe
Windows Live installer --> MsiExec.exe /X{75F9C7CC-1EF0-4E03-BCD5-DF715CD7AFD1}
Windows Live Messenger --> MsiExec.exe /X{3DD5CE10-6673-499D-8FC0-66C953121B1D}
Windows Live 登录助手 --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR 压缩文件管理器 --> C:\Program Files\WinRAR\uninstall.exe
快车(FlashGet)2-正式版 --> C:\Program Files\FlashGet Network\Flashget\uninst.exe
暴风影音 --> C:\Program Files\StormII\uninst.exe
超级旋风 1.8.195.202 --> C:\Program Files\Tencent\QQDownload\uninst.exe
飞速土豆 1.10 --> C:\Program Files\Tudou\飞速Tudou\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1642 / Error
Event Submitted/Written: 05/01/2008 10:36:35 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office PowerPoint Viewer 2007 (English) -- Error 1706. An installation package for the product Microsoft Office PowerPoint Viewer 2007 (English) cannot be found. Try the installation again using a valid copy of the installation package 'ppviewer.msi'.

Event Record #/Type1641 / Warning
Event Submitted/Written: 05/01/2008 10:36:28 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{95120000-00AF-0409-0000-0000000FF1CE}', feature 'PPTViewerWebDownloadFiles' failed during request for component '{FB8E9B43-0B6F-4159-91D6-E6CF414A4E03}'

Event Record #/Type1640 / Warning
Event Submitted/Written: 05/01/2008 10:36:28 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{95120000-00AF-0409-0000-0000000FF1CE}', feature 'PPTViewerWebDownloadFiles', component '{32497290-AB4C-48D2-A95D-E82C68DA659E}' failed. The resource 'C:\Program Files\Microsoft Office\Office12\INTLDATE.DLL' does not exist.

Event Record #/Type1603 / Error
Event Submitted/Written: 04/30/2008 03:44:25 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
发现威胁!威胁: Trojan Horse 位于文件: C:\Documents and Settings\gigi\Desktop\Spyware.Doctor\keygen.exe 由: 自动防护 扫描。操作: 隔离 成功 : 拒绝访问。操作说明: 已成功地隔离了文件。

Event Record #/Type1586 / Success
Event Submitted/Written: 04/30/2008 08:19:28 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4867 / Error
Event Submitted/Written: 05/02/2008 08:15:44 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type4822 / Error
Event Submitted/Written: 05/02/2008 02:19:01 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest.
Reference error message: The operation completed successfully.
.

Event Record #/Type4821 / Error
Event Submitted/Written: 05/02/2008 02:19:01 PM
Event ID/Source: 58 / SideBySide
Event Description:
Syntax error in manifest or policy file "The manifest file contains one or more syntax errors.
1" on line The manifest file contains one or more syntax errors.
2.

Event Record #/Type4820 / Error
Event Submitted/Written: 05/02/2008 02:19:01 PM
Event ID/Source: 61 / SideBySide
Event Description:
Syntax error in manifest or policy file "assemblyIdentity1" on line assemblyIdentity2.
The required attribute version is missing from element assemblyIdentity.

Event Record #/Type4819 / Error
Event Submitted/Written: 05/02/2008 02:19:00 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest.
Reference error message: The operation completed successfully.
.



-- End of Deckard's System Scanner: finished at 2008-05-02 21:47:17 ------------




main
Deckard's System Scanner v20071014.68
Run by gigi on 2008-05-02 21:49:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as gigi.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:19 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Kingsoft\Powerword 2007\xdict.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\gigi\Desktop\dss.exe
C:\DOCUME~1\gigi\Desktop\gigi.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\Flashget\ComDlls\bhoCATCH.dll
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\WINDOWS\system32\SSup.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live μ?????3D - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: DVA Gate - {DB9D1BB8-3615-48A6-BF50-5CB45AB28230} - C:\WINDOWS\gndarmblaor.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: wxdbpfvo - {E1B2B64B-E123-4A7A-98D7-C51065DF3249} - C:\WINDOWS\wxdbpfvo.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows木马防火墙] C:\Documents and Settings\gigi\Desktop\rj07091004\112777_Windows?????μ 8[1].8??????¢2?y???\www.asp1.com.cn\ftcsetup\Trojanwall.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [KuGoo3] C:\PROGRA~1\KUGOO2~1\KuGoo.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dell DataSafe Scheduler] "C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VirusIsolator.exe] C:\Program Files\VirusIsolator\VirusIsolator.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: qadovnel - {9E95F92C-5707-4860-A38A-42ED99A719A1} - C:\WINDOWS\qadovnel.dll
O21 - SSODL: bdkpfxqw - {4F5963B1-99E5-4CD0-80CE-9EDDE131ACB9} - C:\WINDOWS\bdkpfxqw.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 11548 bytes

-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-06-28 15:22:45 0 d-------- C:\Program Files\Enigma Software Group
2008-06-28 14:26:57 0 d-------- C:\Documents and Settings\gigi\Application Data\TrojanHunter
2008-06-28 12:56:50 0 d-------- C:\Program Files\Iparmor
2008-06-28 12:55:00 0 d-------- C:\Documents and Settings\gigi\update
2008-06-28 12:44:18 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-28 12:31:00 0 d-------- C:\Documents and Settings\gigi\Application Data\TmpRecentIcons
2008-06-28 11:47:10 0 d-------- C:\WINDOWS\empty
2008-06-28 10:52:25 94208 --a------ C:\WINDOWS\xbaqktfv.exe
2008-06-28 10:52:25 151552 --a------ C:\WINDOWS\wxdbpfvo.dll
2008-06-28 10:52:25 81920 --a------ C:\WINDOWS\spwoqbmv.exe
2008-06-28 10:52:25 167936 --a------ C:\WINDOWS\qadovnel.dll
2008-06-28 10:52:25 217088 --a------ C:\WINDOWS\gndarmblaor.dll
2008-06-28 10:52:25 212992 --a------ C:\WINDOWS\bdkpfxqw.dll
2008-06-27 20:07:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-27 17:24:10 0 d-------- C:\Documents and Settings\gigi\Application Data\Reallusion
2008-06-27 17:24:09 0 d-------- C:\Documents and Settings\gigi\Application Data\tmp
2008-05-02 21:34:58 4924 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-02 21:34:33 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-02 21:34:33 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-02 21:34:33 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-02 21:34:33 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-02 21:34:33 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-02 21:34:33 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-02 21:34:33 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-02 21:34:32 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-02 20:29:56 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-02 20:29:54 0 d-------- C:\Documents and Settings\gigi\Application Data\skypePM
2008-05-02 20:25:38 0 d-------- C:\Documents and Settings\gigi\Application Data\Skype
2008-05-02 20:25:17 0 d-------- C:\Program Files\Skype
2008-05-02 20:25:17 0 d-------- C:\Program Files\Common Files\Skype
2008-05-02 20:25:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-02 14:29:01 0 d-------- C:\KuGoo
2008-05-02 14:26:28 6096 --a------ C:\WINDOWS\LoginUsers.dat
2008-05-01 22:03:01 0 d-------- C:\Program Files\Universal
2008-04-30 16:07:25 0 d-------- C:\Program Files\Spyware Doctor
2008-04-30 16:07:25 0 d-------- C:\Documents and Settings\gigi\Application Data\PC Tools
2008-04-29 12:18:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-29 12:18:05 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-28 22:41:34 0 --a------ C:\WINDOWS\system32\cid_store.dat
2008-04-28 21:15:51 0 d-------- C:\WINDOWS\pss
2008-04-28 19:23:09 0 d-------- C:\Documents and Settings\gigi\Application Data\Grisoft
2008-04-28 19:22:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-28 19:18:58 0 d-------- C:\Documents and Settings\gigi\Application Data\MxBoost
2008-04-28 19:18:41 0 d-------- C:\Program Files\Maxthon2
2008-04-26 23:04:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-04-26 23:04:05 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-26 11:55:13 0 d-------- C:\Program Files\Microsoft Student
2008-04-26 11:54:36 0 d-------- C:\Program Files\Learning Essentials
2008-04-26 11:08:16 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-26 11:07:14 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-26 10:14:57 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-24 23:09:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-24 22:48:38 0 d-------- C:\Documents and Settings\gigi\Application Data\Apple Computer
2008-04-24 22:39:35 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-04-24 21:58:04 0 d-------- C:\Documents and Settings\gigi\Application Data\Mozilla
2008-04-24 21:49:55 0 d-------- C:\Program Files\QuickTime
2008-04-24 21:49:38 0 d-------- C:\Program Files\Apple Software Update
2008-04-24 21:49:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-24 21:40:37 0 d--h----- C:\Program Files\Zero G Registry
2008-04-24 21:40:37 0 d-------- C:\Program Files\Britannica 8.0
2008-04-24 21:38:45 0 d--h----- C:\Documents and Settings\gigi\InstallAnywhere
2008-04-24 12:41:31 0 d-------- C:\Program Files\Tudou
2008-04-22 20:31:50 41984 --a------ C:\WINDOWS\system32\drivers\AdProt.sys <Not Verified; 腾讯科技(深圳)有限公司; >
2008-04-22 14:24:02 0 d-------- C:\Program Files\EPSON
2008-04-22 08:25:09 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-20 21:12:33 12720 --a------ C:\WINDOWS\system32\drivers\prfnifp.sys
2008-04-19 10:46:28 7904 --a------ C:\WINDOWS\system32\BDGuardS.DAT
2008-04-19 10:46:28 1464 --a------ C:\WINDOWS\system32\BDGuard.DAT
2008-04-18 22:51:44 0 d-------- C:\Program Files\eREAD
2008-04-18 22:27:11 0 d-------- C:\Program Files\MSXML 4.0
2008-04-18 20:26:47 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-18 12:39:27 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-18 12:39:24 0 d-------- C:\Documents and Settings\gigi\Application Data\DAEMON Tools
2008-04-18 09:31:22 0 d-------- C:\WINDOWS\system32\Redist
2008-04-18 09:31:21 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-04-18 09:31:21 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-04-18 09:31:11 1712128 --a------ C:\WINDOWS\system32\GdiPlus.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-04-18 09:30:53 0 d-------- C:\Program Files\Common Files\Kingsoft
2008-04-17 20:40:28 0 d-------- C:\Documents and Settings\gigi\Application Data\Real
2008-04-15 20:47:33 0 d-------- C:\Program Files\Common Files\Real
2008-04-15 20:46:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Storm
2008-04-15 20:46:55 0 d-------- C:\Documents and Settings\gigi\Application Data\Application Data
2008-04-15 20:46:36 0 d-------- C:\Program Files\StormII
2008-04-15 20:37:14 0 d-------- C:\Program Files\eMule
2008-04-13 09:28:01 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-12 21:54:50 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-12 21:54:50 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-12 21:54:50 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-12 21:54:50 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-12 21:54:49 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-12 21:54:47 0 d-------- C:\Documents and Settings\gigi\Application Data\Simply Super Software
2008-04-11 22:21:41 0 d-------- C:\WINDOWS\Sun
2008-04-11 22:21:41 0 d-------- C:\Documents and Settings\gigi\Application Data\Sun
2008-04-11 21:39:13 0 d-------- C:\Documents and Settings\gigi\Application Data\DataSafeOnline
2008-04-10 20:10:42 274800 --ahs---- C:\WINDOWS\system32\FffgPXbc.ini2
2008-04-08 22:02:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-07 07:38:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-05 08:39:41 0 d-------- C:\Downloads
2008-04-05 08:39:24 0 d-------- C:\Documents and Settings\gigi\Application Data\BITS
2008-04-05 08:38:47 0 d-------- C:\Program Files\FlashGet Network
2008-04-05 08:37:37 0 d-------- C:\QQDownload
2008-04-05 08:26:17 0 d-------- C:\Program Files\Symantec
2008-04-05 08:26:13 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-05 08:26:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-05 08:26:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 08:19:13 0 d-------- C:\Documents and Settings\gigi\Application Data\Kingsoft
2008-04-05 08:18:20 0 d-------- C:\Program Files\Kingsoft
2008-04-05 07:59:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\SogouPY
2008-04-05 07:59:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\SogouPY.users
2008-04-04 22:45:06 0 d-------- C:\Documents and Settings\gigi\Application Data\QQUpdate
2008-04-04 22:38:54 0 d-------- C:\Documents and Settings\gigi\Application Data\QQDoctor
2008-04-04 22:38:05 0 d-------- C:\Documents and Settings\gigi\Application Data\QQ
2008-04-04 22:38:03 0 d-------- C:\Documents and Settings\gigi\Application Data\Tencent
2008-04-04 22:32:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\SogouPY
2008-04-04 22:32:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\SogouPY.users
2008-04-04 22:13:56 147456 --a------ C:\WINDOWS\system32\Scrax.dll <Not Verified; Tencent; >
2008-04-04 22:13:28 0 d-------- C:\WINDOWS\system32\qqedit
2008-04-04 22:13:22 0 d-------- C:\Program Files\Tencent
2008-04-04 22:13:08 0 d-------- C:\Program Files\SogouInput
2008-04-04 22:13:08 0 d-------- C:\Documents and Settings\gigi\Application Data\SogouPY.users
2008-04-04 22:12:53 0 d-------- C:\Documents and Settings\gigi\Application Data\SogouPY
2008-04-04 21:45:07 0 d-------- C:\Documents and Settings\gigi\Contacts
2008-04-04 21:27:02 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-04 21:26:58 0 d-------- C:\Program Files\Windows Live
2008-04-04 21:26:51 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 17:57:54 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-02 17:28:12 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-02 16:26:23 0 d-------- C:\Documents and Settings\gigi\Application Data\Macromedia
2008-04-02 16:13:51 0 d-------- C:\Documents and Settings\gigi\Application Data\MSNInstaller


-- Find3M Report ---------------------------------------------------------------

2008-06-28 15:17:06 51528 --a------ C:\WINDOWS\system32\nvModes.dat
2008-06-28 13:03:31 0 d-------- C:\Program Files\Google
2008-06-28 13:03:31 0 d-------- C:\Program Files\Creative
2008-06-28 12:48:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 12:47:00 0 d-------- C:\Program Files\Dell
2008-06-27 17:45:46 0 d-------- C:\Documents and Settings\gigi\Application Data\Adobe
2008-06-27 15:16:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-27 12:01:20 0 d-------- C:\Program Files\Java
2008-05-02 21:34:02 1584 --a------ C:\Documents and Settings\gigi\Application Data\wklnhst.dat
2008-05-02 20:25:17 0 d-------- C:\Program Files\Common Files
2008-04-26 14:45:50 0 d-------- C:\Documents and Settings\gigi\Application Data\Google
2008-04-01 14:40:09 0 d-------- C:\Documents and Settings\gigi\Application Data\CyberLink
2008-04-01 14:23:46 0 d--h----- C:\Documents and Settings\gigi\Application Data\GTek
2008-04-01 13:48:19 0 d-------- C:\Documents and Settings\gigi\Application Data\Dell
2008-04-01 13:01:54 0 d-------- C:\Documents and Settings\gigi\Application Data\Template
2008-04-01 12:42:47 0 d-------- C:\Documents and Settings\gigi\Application Data\Roxio
2008-04-01 12:31:50 0 d-------- C:\Documents and Settings\gigi\Application Data\Creative
2008-03-28 11:29:13 0 d-------- C:\Program Files\Microsoft Works
2008-03-28 11:28:43 0 d-------- C:\Program Files\DellAutomatedPCTuneUp
2008-03-28 11:27:57 0 d-------- C:\Program Files\MSECache
2008-03-28 11:27:04 0 d-------- C:\Program Files\CyberLink
2008-03-28 11:26:08 0 d-------- C:\Program Files\Dell Support Center
2008-03-28 11:26:05 0 d-------- C:\Program Files\Common Files\supportsoft
2008-03-28 11:26:01 0 d-------- C:\Program Files\Dell DataSafe Online
2008-03-28 11:24:54 0 d-------- C:\Program Files\Dell Network Assistant
2008-03-28 11:23:40 0 d-------- C:\Program Files\Roxio
2008-03-28 11:23:34 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-28 11:23:31 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-28 11:23:19 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-28 11:23:17 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-28 11:22:37 0 d-------- C:\Program Files\Sigmatel
2008-03-28 11:21:02 0 d-------- C:\Program Files\CONEXANT
2008-03-28 11:20:10 0 d-------- C:\Program Files\Digital Line Detect
2008-03-28 11:20:07 0 d-------- C:\Program Files\NetWaiting
2008-03-28 11:20:02 0 d-------- C:\Program Files\Modem Diagnostic Tool
2008-03-28 11:19:17 0 d-------- C:\Program Files\Common Files\Reallusion
2008-03-28 11:19:13 0 d-------- C:\Program Files\Common Files\Creative
2008-03-28 11:19:09 0 d-------- C:\Program Files\Creative Live! Cam
2008-03-28 11:18:36 0 d-------- C:\Documents and Settings\gigi\Application Data\InstallShield
2008-03-28 11:17:21 0 d-------- C:\Program Files\Messenger
2008-03-28 11:16:30 0 d-------- C:\Program Files\Common Files\Java
2008-03-28 11:15:14 0 d-------- C:\Program Files\MSXML 6.0
2008-03-28 11:02:52 0 d-------- C:\Program Files\DellTPad


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-12C9-4305-82F9-43058F20E8D2}]
04/20/2008 10:11 PM 255296 --a------ C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F364306-AA45-47B5-9F9D-39A8B94E7EF1}]
04/05/2008 04:54 AM 104008 --a------ C:\Program Files\FlashGet Network\Flashget\ComDlls\bhoCATCH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669751ED-D558-49AE-B01A-3B374CC7910E}]
04/17/2008 12:14 PM 185664 --a------ C:\WINDOWS\system32\SSup.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
03/10/2008 10:08 AM 81920 --a------ C:\Program Files\eREAD\eREAD\WebHook.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB9D1BB8-3615-48A6-BF50-5CB45AB28230}]
04/28/2008 07:58 AM 217088 --a------ C:\WINDOWS\gndarmblaor.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [09/23/2007 05:27 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/23/2007 08:12 PM]
"nwiz"="nwiz.exe" [09/23/2007 08:12 PM C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [09/23/2007 08:12 PM C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/23/2007 08:12 PM]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [08/28/2007 01:54 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [03/16/2007 02:10 AM]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [07/27/2007 02:43 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [09/07/2007 03:49 PM]
"SigmatelSysTrayApp"="stsystra.exe" [09/16/2007 01:44 PM C:\WINDOWS\stsystra.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 02:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 02:50 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 07:00 AM]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [01/17/2008 07:41 PM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [02/13/2008 05:21 PM]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [11/01/2007 01:39 PM]
"stup.exe"="C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll" [03/27/2008 07:42 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/05/2004 07:25 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/19/2004 04:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Windows木马防火墙"="C:\Documents and Settings\gigi\Desktop\rj07091004\112777_Windows木马清道夫 8[1].8上网必备绿色注册可升级版\www.asp1.com.cn\ftcsetup\Trojanwall.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\CRavgas.exe" [06/11/2007 02:25 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"KuGoo3"="C:\PROGRA~1\KUGOO2~1\KuGoo.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" [10/11/2007 07:49 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [02/13/2008 05:21 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"Dell DataSafe Scheduler"="C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe" [12/02/2007 02:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 02:39 AM]
"VirusIsolator.exe"="C:\Program Files\VirusIsolator\VirusIsolator.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [04/30/2008 05:17 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"Disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qadovnel"= {9E95F92C-5707-4860-A38A-42ED99A719A1} - C:\WINDOWS\qadovnel.dll [04/28/2008 07:57 AM 167936]
"bdkpfxqw"= {4F5963B1-99E5-4CD0-80CE-9EDDE131ACB9} - C:\WINDOWS\bdkpfxqw.dll [04/28/2008 07:57 AM 212992]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{213b6b0e-02c1-11dd-9256-001c23fd038b}]
AutoRun\command- bjkcdpf.exe
explore\Command- bjkcdpf.exe
open\Command- bjkcdpf.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{213b6b0f-02c1-11dd-9256-001c23fd038b}]
AutoRun\command- F:\bjkcdpf.exe
explore\Command- F:\bjkcdpf.exe
open\Command- F:\bjkcdpf.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75577fc4-02c2-11dd-9257-001c23fd038b}]
AutoRun\command- F:\bjkcdpf.exe
explore\Command- F:\bjkcdpf.exe
open\Command- F:\bjkcdpf.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a0f7a4e-0d5a-11dd-927a-001c23fd038b}]
AutoRun\command- bjkcdpf.exe
explore\Command- bjkcdpf.exe
open\Command- bjkcdpf.exe




-- End of Deckard's System Scanner: finished at 2008-05-02 21:50:27 ------------

#6 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 03 May 2008 - 09:34 PM

hi Is my problem too complex?? With this Aware thing, working on this laptop is so inconvenient. can u do it quickly? or I just format and reinstalled the system?

Edited by kaitlyn L, 04 May 2008 - 11:27 AM.


#7 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 04 May 2008 - 11:53 AM

We are currently looking over the problem, sorry for any delays.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#8 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 04 May 2008 - 01:07 PM

Hi

You appear to have the Tencent Address Bar installed. According to my sources, this is sometimes bundled in with legitimate Tencent applications, and is considered Adware by some. Please let me know whether you installed this yourself, whether you use it, or anything else you know about this application.

If you decide you don't want this program, and want to get rid of it, please do the following.
Click Start >> Run, copy/paste the following (including speech marks) into the box:
"C:\Program Files\Tencent\QQ\uninst.exe"
and hit enter.

Additionally, there is another program I would like you to get rid of. To do this, do the same as above, but this time, copy/paste this into the box:
"C:\Program Files\VirusIsolator\uninstall.exe"
before hitting enter.


We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\drivers\prfnifp.sys

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.




Download SafeBootKeyRepair

http://download.blee...otKeyRepair.exe

Save it to your desktop.

Double-click to run it, and follow instructions.


Next, we need to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
Please let me know if this works, as it essential that we can access safe-mode before contiuing with the fix. You can reboot your computer into normal mode once you have checked.

Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#9 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 04 May 2008 - 08:19 PM

the Tencent qq is kind of chat software, I need it to communicate with my friends. the VirusIsolator \uninstall.exe can not run, cause spyhunter found it as a virus and kill it. Scanner results Scan taken on 05 May 2008 02:14:44 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found Win32:Rootkit-gen AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing

#10 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 04 May 2008 - 09:01 PM

I can enter the safe mode now thanks and do u think u can fix the " .net framework " problem , cause I can open any web with IE7. If u cant , I'd like to reinstall the xp If u can, how long will this process last for? It's a little bit inconvenient working with this laptop.

    Advertisements

Register to Remove


#11 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 05 May 2008 - 05:16 AM

We will see what we can do, first we must work through the Malware issues. I urge you to have patience if at all possible, we will get through this. I can't say how long it will take, as analysis and reply times tend to vary a lot.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#12 jpshortstuff

jpshortstuff

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,710 posts

Posted 05 May 2008 - 01:12 PM

Hi

It would be a good idea if you print out these instructions or write them down, as you wont have access to the internet.

Next, we need to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
Once in Safe Mode, open the SmitFraudFix folder on your desktop and double-click SmitfraudFix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\WINDOWS\system32\SSup.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: DVA Gate - {DB9D1BB8-3615-48A6-BF50-5CB45AB28230} - C:\WINDOWS\gndarmblaor.dll
O3 - Toolbar: wxdbpfvo - {E1B2B64B-E123-4A7A-98D7-C51065DF3249} - C:\WINDOWS\wxdbpfvo.dll
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
O4 - HKLM\..\Run: [Windows木马防火墙] C:\Documents and Settings\gigi\Desktop\rj07091004\112777_Windows?????μ 8[1].8??????¢2?y???\www.asp1.com.cn\ftcsetup\Trojanwall.exe
O4 - HKLM\..\Run: [KuGoo3] C:\PROGRA~1\KUGOO2~1\KuGoo.exe
O4 - HKCU\..\Run: [VirusIsolator.exe] C:\Program Files\VirusIsolator\VirusIsolator.exe
O21 - SSODL: qadovnel - {9E95F92C-5707-4860-A38A-42ED99A719A1} - C:\WINDOWS\qadovnel.dll
O21 - SSODL: bdkpfxqw - {4F5963B1-99E5-4CD0-80CE-9EDDE131ACB9} - C:\WINDOWS\bdkpfxqw.dll
O24 - Desktop Component 0: Privacy Protection - (no file)

Note:Many of these items may not be present, this is fine, just check the ones that are.

Close all browsers and windows except for HijackThis and click Fix Checked.


Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: To restore your registry, go to the folder and start ERDNT.exe


Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{213b6b0e-02c1-11dd-9256-001c23fd038b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{213b6b0f-02c1-11dd-9256-001c23fd038b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75577fc4-02c2-11dd-9257-001c23fd038b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a0f7a4e-0d5a-11dd-927a-001c23fd038b}]
Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say yes.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\xbaqktfv.exe
    C:\WINDOWS\wxdbpfvo.dll
    C:\WINDOWS\spwoqbmv.exe
    C:\WINDOWS\qadovnel.dll
    C:\WINDOWS\gndarmblaor.dll
    C:\WINDOWS\bdkpfxqw.dll
    C:\WINDOWS\system32\drivers\AdProt.sys
    C:\WINDOWS\system32\Scrax.dll
    C:\Program Files\VirusIsolator
    C:\WINDOWS\system32\drivers\prfnifp.sys
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off
if exist C:\log.txt del C:\log.txt
DIR C:\WINDOWS\empty >> C:\log.txt
start C:\log.txt
del find.bat
exit
3. Save the file to your DESKTOP as "delete.bat". Make sure to save it with the quotes. Once saved, the icon to click should look like this on your desktop: Posted Image

4. Double click find.bat. If will open a log in notepad, which can also be found at C:\log.txt. Post this log in your next reply.


Please run this online scan:

Panda Activescan

  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report.


We need to run DSS again, but slightly differently this time.
  • Make sure that DSS.exe is located on your Desktop.
  • Click on your START button, then choose Run. A little box will appear.
  • Now copy and paste all the following in bold (including the "" marks into the run box and click OK.

    "%userprofile%\desktop\dss.exe" /config

  • This will start DSS in a different way. A small window will appear.
  • Click the Check All button.
  • Close all applications and windows.
  • Click on the Scan button.
  • When the scan is complete, please post the contents of main.txt and the extra.txt in your next reply.
Also, please give a detailed description of how your computer is running and behaving at the moment, listing any remaining problems.

Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#13 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 05 May 2008 - 06:51 PM

SmitFraudFix v2.319 Scan done at 17:07:46.71, 05/05/2008 Mon Run from C:\Documents and Settings\gigi\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode 换换换换换换换换换换换换 SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll 换换换换换换换换换换换换 Killing process 换换换换换换换换换换换换 hosts 127.0.0.1 localhost 换换换换换换换换换换换换 VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri C:\WINDOWS\gndarmblaor.dll deleted. C:\WINDOWS\wxdbpfvo.dll deleted. C:\WINDOWS\qadovnel.dll deleted. C:\WINDOWS\bdkpfxqw.dll deleted. 换换换换换换换换换换换换 Winsock2 Fix S!Ri's WS2Fix: LSP not Found. 换换换换换换换换换换换换 Generic Renos Fix GenericRenosFix by S!Ri 换换换换换换换换换换换换 Deleting infected files C:\WINDOWS\spwoqbmv.exe Deleted C:\WINDOWS\xbaqktfv.exe Deleted 换换换换换换换换换换换换 IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri 换换换换换换换换换换换换 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri 换换换换换换换换换换换换 DNS 换换换换换换换换换换换换 Deleting Temp Files 换换换换换换换换换换换换 Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" 换换换换换换换换换换换换 Registry Cleaning Registry Cleaning done. 换换换换换换换换换换换换 SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll 换换换换换换换换换换换换 End

#14 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 05 May 2008 - 06:53 PM

OTMoveIt2 result File/Folder C:\WINDOWS\xbaqktfv.exe not found. File/Folder C:\WINDOWS\wxdbpfvo.dll not found. File/Folder C:\WINDOWS\spwoqbmv.exe not found. File/Folder C:\WINDOWS\qadovnel.dll not found. File/Folder C:\WINDOWS\gndarmblaor.dll not found. File/Folder C:\WINDOWS\bdkpfxqw.dll not found. C:\WINDOWS\system32\drivers\AdProt.sys moved successfully. C:\WINDOWS\system32\Scrax.dll unregistered successfully. C:\WINDOWS\system32\Scrax.dll moved successfully. File/Folder C:\Program Files\VirusIsolator not found. C:\WINDOWS\system32\drivers\prfnifp.sys moved successfully. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05052008_172959

#15 kaitlyn L

kaitlyn L

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 05 May 2008 - 07:08 PM

I didnt see any find.bat in my destop so I click the delete.bat and here is the log Volume in drive C has no label. Volume Serial Number is 945D-AB65 Directory of C:\WINDOWS\empty 06/28/2008 11:47 AM <DIR> . 06/28/2008 11:47 AM <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 78,190,428,160 bytes free

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users