Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Need help with tavo.exe popping up at startup


  • This topic is locked This topic is locked
13 replies to this topic

#1 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 07 June 2008 - 10:20 AM

Hello, I know there have been multiple people with posts regarding the same problem. But it seems as if the procedure for removal is different for everyone. But if there is a standard procedure I would greatly appreciate any instruction as this is not the only computer in my possession infected with tavo.exe. Here is my Hijack this log....unfortunately when I run Malwarebyte's for the scan, after around 2 minutes and 40 seconds it will display a..."Run time Error, Overflow." So for now this is my Hijackthis Log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 上午 12:21:38, on 2008/6/8 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Norton Internet Security\ISSVC.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Wireless Console 2\wcourier.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\ASUS\ATK Media\DMEDIA.EXE C:\Program Files\ASUS\ASUS Live Update\ALU.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\ASUS\Splendid\ACMON.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\system32\ACEngSvr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- End of file - 8973 bytes

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 June 2008 - 01:22 PM

Hi! Welcome to the forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 June 2008 - 03:52 AM

Adobe Flash Player ActiveX Adobe Reader 7.0 ASUS InstantFun ASUS Live Update Asus MultiFrame ASUS Splendid Video Enhancement Technology Asus_A_Series_ScreenSaver ASUSDVD ATK Media ATK0100 ACPI UTILITY CC_ccProxyExt ccCommon ccPxyCore Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer HijackThis 2.0.2 Intel® PROSet/無線軟體 KB923723:Step by Step Interactive Training 筆記本檢視器安全性更新 LifeFrame2 LiveReg (Symantec Corporation) LiveUpdate 3.0 (Symantec Corporation) Malwarebytes' Anti-Malware mCore mDriver mDrWiFi mEoU mHelp mIWA mLogView mMHouse Motorola SM56 Data Fax Modem mPfMgr mPfWiz mProSafe MSRedist MSXML 4.0 SP2 (KB936181) mWlsSafe mXML mZConfig Nero OEM Net4Switch Norton AntiSpam Norton AntiSpam Norton AntiVirus 2005 Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security 2005 (Symantec Corporation) Norton WMI Update Norton WMI Update NVIDIA Drivers Power4 Gear REALTEK PCIE NIC Driver Skype™ 3.8 SlingPlayer SMSC IrCC V5.1.3600.9 SoundMAX SPBBC Symantec Script Blocking Installer SymNet Synaptics Pointing Device Driver Windows Installer 3.1 (KB893803) Windows Media Player 6.4 安全性更新 (KB925398) Windows Media Player 9 安全性更新 (KB936782) Windows Media Player 安全性更新 (KB911564) Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885855 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB886677 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB892627 Windows XP Hotfix - KB893056 Windows XP Hotfix (KB896256) Windows XP Hotfix (KB918005) Windows XP 安全性更新 (KB890046) Windows XP 安全性更新 (KB893756) Windows XP 安全性更新 (KB896358) Windows XP 安全性更新 (KB896423) Windows XP 安全性更新 (KB896428) Windows XP 安全性更新 (KB899587) Windows XP 安全性更新 (KB899591) Windows XP 安全性更新 (KB900725) Windows XP 安全性更新 (KB901017) Windows XP 安全性更新 (KB901190) Windows XP 安全性更新 (KB901214) Windows XP 安全性更新 (KB902400) Windows XP 安全性更新 (KB905414) Windows XP 安全性更新 (KB905749) Windows XP 安全性更新 (KB908519) Windows XP 安全性更新 (KB911562) Windows XP 安全性更新 (KB911927) Windows XP 安全性更新 (KB913580) Windows XP 安全性更新 (KB914388) Windows XP 安全性更新 (KB914389) Windows XP 安全性更新 (KB918118) Windows XP 安全性更新 (KB918439) Windows XP 安全性更新 (KB919007) Windows XP 安全性更新 (KB920213) Windows XP 安全性更新 (KB920670) Windows XP 安全性更新 (KB920683) Windows XP 安全性更新 (KB920685) Windows XP 安全性更新 (KB922819) Windows XP 安全性更新 (KB923191) Windows XP 安全性更新 (KB923414) Windows XP 安全性更新 (KB923980) Windows XP 安全性更新 (KB924270) Windows XP 安全性更新 (KB924496) Windows XP 安全性更新 (KB924667) Windows XP 安全性更新 (KB925902) Windows XP 安全性更新 (KB926255) Windows XP 安全性更新 (KB926436) Windows XP 安全性更新 (KB927779) Windows XP 安全性更新 (KB927802) Windows XP 安全性更新 (KB928255) Windows XP 安全性更新 (KB928843) Windows XP 安全性更新 (KB929123) Windows XP 安全性更新 (KB930178) Windows XP 安全性更新 (KB931261) Windows XP 安全性更新 (KB931784) Windows XP 安全性更新 (KB932168) Windows XP 安全性更新 (KB933729) Windows XP 安全性更新 (KB935839) Windows XP 安全性更新 (KB935840) Windows XP 安全性更新 (KB936021) Windows XP 安全性更新 (KB938127) Windows XP 安全性更新 (KB941202) Windows XP 安全性更新 (KB941568) Windows XP 安全性更新 (KB941569) Windows XP 安全性更新 (KB941644) Windows XP 安全性更新 (KB941693) Windows XP 安全性更新 (KB943055) Windows XP 安全性更新 (KB943460) Windows XP 安全性更新 (KB943485) Windows XP 安全性更新 (KB944338) Windows XP 安全性更新 (KB944653) Windows XP 安全性更新 (KB945553) Windows XP 安全性更新 (KB946026) Windows XP 安全性更新 (KB947864) Windows XP 安全性更新 (KB948590) Windows XP 安全性更新 (KB948881) Windows XP 安全性更新 (KB950749) Windows XP 更新 (KB894391) Windows XP 更新 (KB898461) Windows XP 更新 (KB900485) Windows XP 更新 (KB908531) Windows XP 更新 (KB910437) Windows XP 更新 (KB911280) Windows XP 更新 (KB916595) Windows XP 更新 (KB920872) Windows XP 更新 (KB922582) Windows XP 更新 (KB927891) Windows XP 更新 (KB930916) Windows XP 更新 (KB936357) Windows XP 更新 (KB938828) Windows XP 更新 (KB942763) WinFlash Wireless Console 2

#4 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 June 2008 - 03:54 AM

Thank you for your reply and I hope the fact that this computer has the chinese version of windows does not affect the procedure in any way. (I should of thanked you before posting the list, sorry about that)

#5 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 June 2008 - 05:07 AM

Hi

The Chinese version shouldnt cause any probs.

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet.
  • Click on this LINK to disable Norton
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#6 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 June 2008 - 08:33 PM

This is my ComboFix log:

ComboFix 08-06-08.5 - Elsa tien 2008-06-09 10:25:25.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.233 [GMT 8:00]
執行位置?: C:\Documents and Settings\Elsa tien\桌面\combofix.exe
Command switches used :: /killall
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((((( 2008-05-09 - 2008-06-09 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-08 00:15 . 2008-06-08 00:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-08 00:15 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-08 00:15 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Malwarebytes
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 00:05 . 2008-06-08 00:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-07 23:57 . 2008-06-07 23:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 23:45 . 2008-06-07 23:45 0 --a------ C:\WINDOWS\system32\drivers\1043_ASUSTeK_A8J.alu
2008-06-07 23:27 . 2008-06-08 17:48 123,072 -r-hs---- C:\f.bat
2008-06-01 10:14 . 2008-06-01 10:14 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-01 09:52 . 2007-07-09 21:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-01 09:47 . 2007-06-26 14:08 1,104,896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-06-01 09:34 . 2008-06-01 09:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-31 21:31 . 2006-10-20 09:38 704,512 --------- C:\WINDOWS\system32\dllcache\sxs.dll
2008-05-31 21:29 . 2008-06-02 15:54 121,670 -r-hs---- C:\hovrflst.bat
2008-05-31 21:20 . 2008-06-08 23:15 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-31 15:45 . 2008-05-31 15:45 <DIR> d---s---- C:\Documents and Settings\Elsa tien\UserData
2008-05-31 15:35 . 2008-05-29 21:25 122,087 -r-hs---- C:\cubp.bat
2008-05-31 15:34 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\Program Files\Sling Media
2008-05-31 14:35 . 2008-05-31 14:35 <DIR> d-------- C:\Program Files\PhotoCap4
2008-05-29 23:44 . 2008-05-29 23:44 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\skypePM
2008-05-29 23:44 . 2008-05-29 23:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 23:42 . 2008-05-29 23:42 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Google
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-29 23:28 . 2008-05-29 23:28 <DIR> d-------- C:\Program Files\SymNetDrv
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> d-------- C:\Documents and Settings\Elsa tien\桌面
2008-05-29 23:15 . 2006-09-20 05:57 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Symantec
2008-05-29 23:15 . 2006-09-20 06:09 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Intel
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> dr------- C:\Documents and Settings\Elsa tien\「開始」功能表
2008-05-29 23:15 . 2008-05-29 23:15 <DIR> d-------- C:\Documents and Settings\Elsa tien
2008-05-29 23:15 . 2008-05-29 23:15 546 --a------ C:\WINDOWS\system32\ABA8J.DAT
2008-05-29 23:11 . 2001-08-31 17:24 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-29 23:11 . 2008-05-29 23:11 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-29 23:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:49 158,496 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:03 1,844,864 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-29 23:42 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-04-17 05:24 110592]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-17 00:16 7561216]
"nwiz"="nwiz.exe" [2006-03-17 00:16 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-17 00:16 86016]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-05-24 11:58 58992]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 02:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 16:29 53248]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-02-21 19:36 17920]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 21:14 61440]
"SMSERIAL"="sm56hlpr.exe" [2006-01-19 23:34 544768 C:\WINDOWS\sm56hlpr.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-05-29 23:28 100056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2006-09-20 06:12:32 491520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-20 18:44]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2006-01-24 10:45]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-05 16:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07f49ab8-2ee4-11dd-a559-0018f33403b3}]
\Shell\AutoRun\command - F:\f.bat
\Shell\explore\Command - F:\f.bat
\Shell\open\Command - F:\f.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888e-2f18-11dd-a55a-0018f33403b3}]
\Shell\AutoRun\command - G:\hovrflst.bat
\Shell\explore\Command - G:\hovrflst.bat
\Shell\open\Command - G:\hovrflst.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888f-2f18-11dd-a55a-0018f33403b3}]
\Shell\AutoRun\command - G:\hovrflst.bat
\Shell\explore\Command - G:\hovrflst.bat
\Shell\open\Command - G:\hovrflst.bat

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 10:28:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ASUS\Asus MultiFrame\HookTitle.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
完成時間?: 2008-06-09 10:32:01 - machine was rebooted [Elsa tien]
ComboFix-quarantined-files.txt 2008-06-09 02:31:18

7 個目錄 23,609,901,056 位元組可用
9 個目錄 23,818,633,216 位元組可用

174 --- E O F --- 2008-06-07 16:35:09







---------------------------

#7 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 June 2008 - 08:34 PM

And this is my Hijackthis Log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 上午 10:35:52, on 2008/6/9 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\system32\conime.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Norton Internet Security\ISSVC.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\ASUS\ATK Media\DMEDIA.EXE C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\ASUS\ASUS Live Update\ALU.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\ASUS\Splendid\ACMON.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ACEngSvr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Skype\Phone\Skype.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- End of file - 8852 bytes

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 June 2008 - 01:39 AM

Hi

Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.

http://www.bleepingc...opic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\f.bat
C:\hovrflst.bat
C:\cubp.bat
F:\f.bat
G:\hovrflst.bat

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07f49ab8-2ee4-11dd-a559-0018f33403b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888e-2f18-11dd-a55a-0018f33403b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888f-2f18-11dd-a55a-0018f33403b3}]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please do an online scan with Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed
until the scan is complete. This includes your anti-virus. Once you have
installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
Instructions on disabling a variety of security programs can be found at the link below.

http://www.bleepingc...opic114351.html

In your next reply post:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 09 June 2008 - 08:19 AM

Just a quick question, it seems like the error for Tavo.exe has already disappeared from startup. Are these procedures for cleaning up the rest of the computer in general? Which was the step that actually removed the tavo.exe problem?

#10 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 09 June 2008 - 09:34 AM

KASPERSKY ONLINE SCANNER 7 REPORT Monday, June 9, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, June 09, 2008 13:56:18 Records in database: 842481 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ Scan statistics Files scanned 29876 Threat name 26 Infected objects 102 Suspicious objects 0 Duration of the scan 00:36:19 File name Threat name Threats count C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aobf 1 C:\QooBox\Quarantine\C\WINDOWS\system32\kavo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aobf 1 C:\QooBox\Quarantine\C\WINDOWS\system32\tavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aoap 1 C:\QooBox\Quarantine\C\cubp.bat.vir Infected: Trojan.Win32.Vaklik.ano 1 C:\QooBox\Quarantine\C\f.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 C:\QooBox\Quarantine\C\hovrflst.bat.vir Infected: Trojan.Win32.Vaklik.apk 1 C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F22538A.com Infected: Trojan-PSW.Win32.OnLineGames.dkl 1 C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F257D87.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw 1 C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4F257D87.bat Infected: Worm.Win32.AutoRun.cyp 1 C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B031BEB.bat Infected: Worm.Win32.AutoRun.cyp 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP2\A0000322.sys Infected: Trojan-PSW.Win32.OnLineGames.amky 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000339.bat Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000366.bat Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000371.exe Infected: Trojan.Win32.Vaklik.aos 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000372.exe Infected: Trojan-PSW.Win32.OnLineGames.aljz 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000373.exe Infected: Trojan.Win32.Vaklik.aov 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000838.bat Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000843.exe Infected: Trojan.Win32.Vaklik.aoz 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000844.exe Infected: Trojan.Win32.Vaklik.aoz 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000845.exe Infected: Trojan.Win32.Vaklik.apb 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000846.exe Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000847.exe Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000848.exe Infected: Trojan-PSW.Win32.OnLineGames.alky 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP5\A0000884.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP5\A0000903.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP5\A0000919.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP6\A0000925.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP6\A0000942.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP6\A0000976.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP7\A0000980.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP7\A0000996.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0001019.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0001033.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0001037.exe Infected: Trojan-PSW.Win32.OnLineGames.alra 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0001038.exe Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002032.bat Infected: Trojan.Win32.Vaklik.arw 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002036.exe Infected: Trojan-PSW.Win32.OnLineGames.amxh 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002047.bat Infected: Trojan.Win32.Vaklik.arw 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002051.exe Infected: Trojan.Win32.Vaklik.arw 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002052.exe Infected: Trojan-PSW.Win32.OnLineGames.amxh 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002064.bat Infected: Trojan-PSW.Win32.OnLineGames.ango 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002068.exe Infected: Trojan-PSW.Win32.OnLineGames.anee 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002070.exe Infected: Trojan-PSW.Win32.OnLineGames.ango 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002071.DLL Infected: Trojan-PSW.Win32.OnLineGames.adrn 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002109.DLL Infected: Trojan-PSW.Win32.OnLineGames.adrn 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002111.bat Infected: Trojan.Win32.Vaklik.asw 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002116.exe Infected: Trojan-PSW.Win32.OnLineGames.anki 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002120.bat Infected: Trojan.Win32.Vaklik.asw 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002122.exe Infected: Trojan-PSW.Win32.OnLineGames.antr 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002138.bat Infected: Worm.Win32.AutoRun.cyp 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002164.exe Infected: Trojan.Win32.Vaklik.asw 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002184.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002388.bat Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002417.exe Infected: Trojan-PSW.Win32.OnLineGames.alra 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002418.exe Infected: Trojan.Win32.Vaklik.apk 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002450.bat Infected: Trojan-PSW.Win32.OnLineGames.anrc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002454.exe Infected: Trojan-PSW.Win32.OnLineGames.anrc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002486.bat Infected: Trojan-PSW.Win32.OnLineGames.anrc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002490.exe Infected: Trojan-PSW.Win32.OnLineGames.antr 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002491.exe Infected: Trojan-PSW.Win32.OnLineGames.anrc 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002525.bat Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002529.exe Infected: Trojan-PSW.Win32.OnLineGames.aoap 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP11\A0002563.bat Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP11\A0002568.exe Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP11\A0002569.dll Infected: Trojan-PSW.Win32.OnLineGames.aobf 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP11\A0002570.DLL Infected: Trojan-PSW.Win32.OnLineGames.aobf 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP11\A0002571.exe Infected: Trojan-PSW.Win32.OnLineGames.aoap 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP12\A0002657.bat Infected: Trojan.Win32.Vaklik.ano 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP12\A0002658.bat Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 C:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP12\A0002659.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\cubp.bat Infected: Trojan.Win32.Vaklik.ano 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP1\A0000269.com Infected: Trojan-PSW.Win32.OnLineGames.dkl 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP1\A0000270.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP1\A0000271.bat Infected: Worm.Win32.AutoRun.cyp 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP2\A0000311.bat Infected: Trojan.Win32.Vaklik.ano 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000341.bat Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP3\A0000368.bat Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP4\A0000840.bat Infected: Trojan-PSW.Win32.OnLineGames.aljc 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP5\A0000886.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP5\A0000905.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP5\A0000921.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP6\A0000927.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP6\A0000944.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP6\A0000978.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP7\A0000982.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP7\A0000998.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0001021.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0001035.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002034.bat Infected: Trojan.Win32.Vaklik.arw 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002049.bat Infected: Trojan.Win32.Vaklik.arw 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002066.bat Infected: Trojan-PSW.Win32.OnLineGames.ango 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP8\A0002113.bat Infected: Trojan.Win32.Vaklik.asw 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002276.bat Infected: Trojan.Win32.Vaklik.asw 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002277.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP9\A0002390.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002452.bat Infected: Trojan-PSW.Win32.OnLineGames.anrc 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002488.bat Infected: Trojan-PSW.Win32.OnLineGames.anrc 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP10\A0002527.bat Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 D:\System Volume Information\_restore{DE896947-5556-4572-A748-D50B71BCDFEC}\RP11\A0002565.bat Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 D:\hovrflst.bat Infected: Trojan.Win32.Vaklik.apk 1 D:\f.bat Infected: Trojan-PSW.Win32.OnLineGames.aoan 1 The selected area was scanned.

#11 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 09 June 2008 - 09:35 AM

Combo Fix~

ComboFix 08-06-08.5 - Elsa tien 2008-06-09 21:49:25.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.220 [GMT 8:00]
執行位置?: C:\Documents and Settings\Elsa tien\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\Elsa tien\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\cubp.bat
C:\f.bat
C:\hovrflst.bat
F:\f.bat
G:\hovrflst.bat
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\cubp.bat
C:\f.bat
C:\hovrflst.bat

.
(((((((((((((((((((((((((((( 2008-05-09 - 2008-06-09 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-09 12:38 . 2008-06-09 12:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-08 00:15 . 2008-06-08 00:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-08 00:15 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-08 00:15 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Malwarebytes
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 00:05 . 2008-06-08 00:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-07 23:57 . 2008-06-07 23:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 23:45 . 2008-06-07 23:45 0 --a------ C:\WINDOWS\system32\drivers\1043_ASUSTeK_A8J.alu
2008-06-01 10:14 . 2008-06-01 10:14 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-01 09:52 . 2007-07-09 21:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-01 09:47 . 2007-06-26 14:08 1,104,896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-06-01 09:34 . 2008-06-01 09:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-31 21:31 . 2006-10-20 09:38 704,512 --------- C:\WINDOWS\system32\dllcache\sxs.dll
2008-05-31 21:20 . 2008-06-09 13:27 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-31 15:45 . 2008-05-31 15:45 <DIR> d---s---- C:\Documents and Settings\Elsa tien\UserData
2008-05-31 15:34 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\Program Files\Sling Media
2008-05-31 14:35 . 2008-05-31 14:35 <DIR> d-------- C:\Program Files\PhotoCap4
2008-05-29 23:44 . 2008-05-29 23:44 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\skypePM
2008-05-29 23:44 . 2008-05-29 23:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 23:42 . 2008-05-29 23:42 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Google
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-29 23:28 . 2008-05-29 23:28 <DIR> d-------- C:\Program Files\SymNetDrv
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> d-------- C:\Documents and Settings\Elsa tien\桌面
2008-05-29 23:15 . 2006-09-20 05:57 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Symantec
2008-05-29 23:15 . 2006-09-20 06:09 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Intel
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> dr------- C:\Documents and Settings\Elsa tien\「開始」功能表
2008-05-29 23:15 . 2008-05-29 23:15 <DIR> d-------- C:\Documents and Settings\Elsa tien
2008-05-29 23:15 . 2008-05-29 23:15 546 --a------ C:\WINDOWS\system32\ABA8J.DAT
2008-05-29 23:11 . 2001-08-31 17:24 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-29 23:11 . 2008-05-29 23:11 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-29 23:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:49 158,496 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:03 1,844,864 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_10.30.11.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 02:27:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 13:51:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-29 23:42 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-04-17 05:24 110592]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-17 00:16 7561216]
"nwiz"="nwiz.exe" [2006-03-17 00:16 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-17 00:16 86016]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-05-24 11:58 58992]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 02:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 16:29 53248]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-02-21 19:36 17920]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 21:14 61440]
"SMSERIAL"="sm56hlpr.exe" [2006-01-19 23:34 544768 C:\WINDOWS\sm56hlpr.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-05-29 23:28 100056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2006-09-20 06:12:32 491520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-20 18:44]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2006-01-24 10:45]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-05 16:04]

.
排程工作資料夾的內容
"2008-06-09 13:35:56 C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - Elsa tien.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 21:51:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ASUS\Asus MultiFrame\HookTitle.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
完成時間?: 2008-06-09 21:53:50 - machine was rebooted [Elsa tien]
ComboFix-quarantined-files.txt 2008-06-09 13:53:46
ComboFix2.txt 2008-06-09 02:32:04

7 個目錄 23,944,232,960 位元組可用
10 個目錄 23,933,353,984 位元組可用

174 --- E O F --- 2008-06-07 16:35:09

#12 OscarGot

OscarGot

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 09 June 2008 - 09:36 AM

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 下午 11:37:55, on 2008/6/9 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\system32\conime.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Norton Internet Security\ISSVC.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\ASUS\ATK Media\DMEDIA.EXE C:\Program Files\ASUS\ASUS Live Update\ALU.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\ASUS\Splendid\ACMON.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\system32\ACEngSvr.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- End of file - 9099 bytes

#13 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 June 2008 - 10:05 AM

Hi

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked exit HijackThis and reboot.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
If the above link doesnt work use this alternative ATF (Atribune Temp File) Cleaner© by Atribune
Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

*Note* If you do not have Firefox or Opera, those options will be greyed out.



Please do an online scan with Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post, with a new HijackThis log, please.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed
until the scan is complete. This includes your anti-virus. Once you have
installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
Instructions on disabling a variety of security programs can be found at the link below.

http://www.bleepingc...opic114351.html
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#14 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 16 June 2008 - 01:33 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users