[Closed] Need help with tavo.exe popping up at startup
#1
Posted 07 June 2008 - 10:20 AM
Register to Remove
#2
Posted 07 June 2008 - 01:22 PM
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.
Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
#3
Posted 08 June 2008 - 03:52 AM
#4
Posted 08 June 2008 - 03:54 AM
#5
Posted 08 June 2008 - 05:07 AM
The Chinese version shouldnt cause any probs.
If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix
Please download Combofix from Bleeping Computer.
If you can't download it from there, please try these 2 alternative sites:
Forospyware
Geeks to Go
- Save it to your Desktop.
- Disconnect from the Internet.
- Click on this LINK to disable Norton
- Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
- When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
#6
Posted 08 June 2008 - 08:33 PM
ComboFix 08-06-08.5 - Elsa tien 2008-06-09 10:25:25.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.233 [GMT 8:00]
執行位置?: C:\Documents and Settings\Elsa tien\桌面\combofix.exe
Command switches used :: /killall
* 已建立新的還原點
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
D:\Autorun.inf
.
(((((((((((((((((((((((((((( 2008-05-09 - 2008-06-09 之間建立的檔案 )))))))))))))))))))))))))))))))))
.
2008-06-08 00:15 . 2008-06-08 00:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-08 00:15 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-08 00:15 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Malwarebytes
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 00:05 . 2008-06-08 00:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-07 23:57 . 2008-06-07 23:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 23:45 . 2008-06-07 23:45 0 --a------ C:\WINDOWS\system32\drivers\1043_ASUSTeK_A8J.alu
2008-06-07 23:27 . 2008-06-08 17:48 123,072 -r-hs---- C:\f.bat
2008-06-01 10:14 . 2008-06-01 10:14 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-01 09:52 . 2007-07-09 21:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-01 09:47 . 2007-06-26 14:08 1,104,896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-06-01 09:34 . 2008-06-01 09:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-31 21:31 . 2006-10-20 09:38 704,512 --------- C:\WINDOWS\system32\dllcache\sxs.dll
2008-05-31 21:29 . 2008-06-02 15:54 121,670 -r-hs---- C:\hovrflst.bat
2008-05-31 21:20 . 2008-06-08 23:15 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-31 15:45 . 2008-05-31 15:45 <DIR> d---s---- C:\Documents and Settings\Elsa tien\UserData
2008-05-31 15:35 . 2008-05-29 21:25 122,087 -r-hs---- C:\cubp.bat
2008-05-31 15:34 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\Program Files\Sling Media
2008-05-31 14:35 . 2008-05-31 14:35 <DIR> d-------- C:\Program Files\PhotoCap4
2008-05-29 23:44 . 2008-05-29 23:44 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\skypePM
2008-05-29 23:44 . 2008-05-29 23:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 23:42 . 2008-05-29 23:42 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Google
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-29 23:28 . 2008-05-29 23:28 <DIR> d-------- C:\Program Files\SymNetDrv
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> d-------- C:\Documents and Settings\Elsa tien\桌面
2008-05-29 23:15 . 2006-09-20 05:57 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Symantec
2008-05-29 23:15 . 2006-09-20 06:09 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Intel
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> dr------- C:\Documents and Settings\Elsa tien\「開始」功能表
2008-05-29 23:15 . 2008-05-29 23:15 <DIR> d-------- C:\Documents and Settings\Elsa tien
2008-05-29 23:15 . 2008-05-29 23:15 546 --a------ C:\WINDOWS\system32\ABA8J.DAT
2008-05-29 23:11 . 2001-08-31 17:24 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-29 23:11 . 2008-05-29 23:11 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-29 23:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:49 158,496 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:03 1,844,864 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-29 23:42 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-04-17 05:24 110592]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-17 00:16 7561216]
"nwiz"="nwiz.exe" [2006-03-17 00:16 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-17 00:16 86016]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-05-24 11:58 58992]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 02:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 16:29 53248]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-02-21 19:36 17920]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 21:14 61440]
"SMSERIAL"="sm56hlpr.exe" [2006-01-19 23:34 544768 C:\WINDOWS\sm56hlpr.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-05-29 23:28 100056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2006-09-20 06:12:32 491520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-20 18:44]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2006-01-24 10:45]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-05 16:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07f49ab8-2ee4-11dd-a559-0018f33403b3}]
\Shell\AutoRun\command - F:\f.bat
\Shell\explore\Command - F:\f.bat
\Shell\open\Command - F:\f.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888e-2f18-11dd-a55a-0018f33403b3}]
\Shell\AutoRun\command - G:\hovrflst.bat
\Shell\explore\Command - G:\hovrflst.bat
\Shell\open\Command - G:\hovrflst.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888f-2f18-11dd-a55a-0018f33403b3}]
\Shell\AutoRun\command - G:\hovrflst.bat
\Shell\explore\Command - G:\hovrflst.bat
\Shell\open\Command - G:\hovrflst.bat
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 10:28:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI
掃描隱藏的程序...
掃描隱藏的進程...
掃描隱藏的檔案...
掃描完成
隱藏檔案?: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ASUS\Asus MultiFrame\HookTitle.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
完成時間?: 2008-06-09 10:32:01 - machine was rebooted [Elsa tien]
ComboFix-quarantined-files.txt 2008-06-09 02:31:18
7 個目錄 23,609,901,056 位元組可用
9 個目錄 23,818,633,216 位元組可用
174 --- E O F --- 2008-06-07 16:35:09
---------------------------
#7
Posted 08 June 2008 - 08:34 PM
#8
Posted 09 June 2008 - 01:39 AM
Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.
http://www.bleepingc...opic114351.html
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C
KillAll:: File:: C:\f.bat C:\hovrflst.bat C:\cubp.bat F:\f.bat G:\hovrflst.bat Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07f49ab8-2ee4-11dd-a559-0018f33403b3}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888e-2f18-11dd-a55a-0018f33403b3}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4131888f-2f18-11dd-a55a-0018f33403b3}]
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Refering to the picture above, drag CFScript into ComboFix.exe
Please do an online scan with Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
+ Extended(If available otherwise Standard) - Scan Options:
+ Scan Archives
+ Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button
- Save the file to your desktop.
- Copy and paste that information in your next post.
With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed
until the scan is complete. This includes your anti-virus. Once you have
installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
Instructions on disabling a variety of security programs can be found at the link below.
http://www.bleepingc...opic114351.html
In your next reply post:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run
#9
Posted 09 June 2008 - 08:19 AM
#10
Posted 09 June 2008 - 09:34 AM
#11
Posted 09 June 2008 - 09:35 AM
ComboFix 08-06-08.5 - Elsa tien 2008-06-09 21:49:25.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.220 [GMT 8:00]
執行位置?: C:\Documents and Settings\Elsa tien\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\Elsa tien\桌面\CFScript.txt
* 已建立新的還原點
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\cubp.bat
C:\f.bat
C:\hovrflst.bat
F:\f.bat
G:\hovrflst.bat
.
(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\cubp.bat
C:\f.bat
C:\hovrflst.bat
.
(((((((((((((((((((((((((((( 2008-05-09 - 2008-06-09 之間建立的檔案 )))))))))))))))))))))))))))))))))
.
2008-06-09 12:38 . 2008-06-09 12:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-08 00:15 . 2008-06-08 00:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-08 00:15 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-08 00:15 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Malwarebytes
2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 00:05 . 2008-06-08 00:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-07 23:57 . 2008-06-07 23:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 23:45 . 2008-06-07 23:45 0 --a------ C:\WINDOWS\system32\drivers\1043_ASUSTeK_A8J.alu
2008-06-01 10:14 . 2008-06-01 10:14 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-01 09:52 . 2007-07-09 21:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-01 09:47 . 2007-06-26 14:08 1,104,896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-06-01 09:34 . 2008-06-01 09:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-31 21:31 . 2006-10-20 09:38 704,512 --------- C:\WINDOWS\system32\dllcache\sxs.dll
2008-05-31 21:20 . 2008-06-09 13:27 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-31 15:45 . 2008-05-31 15:45 <DIR> d---s---- C:\Documents and Settings\Elsa tien\UserData
2008-05-31 15:34 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-31 14:44 . 2008-05-31 14:44 <DIR> d-------- C:\Program Files\Sling Media
2008-05-31 14:35 . 2008-05-31 14:35 <DIR> d-------- C:\Program Files\PhotoCap4
2008-05-29 23:44 . 2008-05-29 23:44 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\skypePM
2008-05-29 23:44 . 2008-05-29 23:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 23:42 . 2008-05-29 23:42 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Google
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-29 23:28 . 2008-05-29 23:28 <DIR> d-------- C:\Program Files\SymNetDrv
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> d-------- C:\Documents and Settings\Elsa tien\桌面
2008-05-29 23:15 . 2006-09-20 05:57 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Symantec
2008-05-29 23:15 . 2006-09-20 06:09 <DIR> d-------- C:\Documents and Settings\Elsa tien\Application Data\Intel
2008-05-29 23:15 . 2006-09-20 05:30 <DIR> dr------- C:\Documents and Settings\Elsa tien\「開始」功能表
2008-05-29 23:15 . 2008-05-29 23:15 <DIR> d-------- C:\Documents and Settings\Elsa tien
2008-05-29 23:15 . 2008-05-29 23:15 546 --a------ C:\WINDOWS\system32\ABA8J.DAT
2008-05-29 23:11 . 2001-08-31 17:24 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-29 23:11 . 2008-05-29 23:11 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-29 23:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:49 158,496 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:03 1,844,864 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-09_10.30.11.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 02:27:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 13:51:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-29 23:42 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-04-17 05:24 110592]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-17 00:16 7561216]
"nwiz"="nwiz.exe" [2006-03-17 00:16 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-17 00:16 86016]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-05-24 11:58 58992]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 02:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 16:29 53248]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-02-21 19:36 17920]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 21:14 61440]
"SMSERIAL"="sm56hlpr.exe" [2006-01-19 23:34 544768 C:\WINDOWS\sm56hlpr.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-05-29 23:28 100056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2006-09-20 06:12:32 491520]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-20 18:44]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2006-01-24 10:45]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-05 16:04]
.
排程工作資料夾的內容
"2008-06-09 13:35:56 C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - Elsa tien.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 21:51:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI
掃描隱藏的程序...
掃描隱藏的進程...
掃描隱藏的檔案...
掃描完成
隱藏檔案?: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ASUS\Asus MultiFrame\HookTitle.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SPBBC\SPBBCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
完成時間?: 2008-06-09 21:53:50 - machine was rebooted [Elsa tien]
ComboFix-quarantined-files.txt 2008-06-09 13:53:46
ComboFix2.txt 2008-06-09 02:32:04
7 個目錄 23,944,232,960 位元組可用
10 個目錄 23,933,353,984 位元組可用
174 --- E O F --- 2008-06-07 16:35:09
#12
Posted 09 June 2008 - 09:36 AM
#13
Posted 09 June 2008 - 10:05 AM
Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked exit HijackThis and reboot.
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
If the above link doesnt work use this alternative ATF (Atribune Temp File) Cleaner© by Atribune
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
*Note* If you do not have Firefox or Opera, those options will be greyed out.
Please do an online scan with Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
+ Extended(If available otherwise Standard) - Scan Options:
+ Scan Archives
+ Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button
- Save the file to your desktop.
- Copy and paste that information in your next post, with a new HijackThis log, please.
With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed
until the scan is complete. This includes your anti-virus. Once you have
installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
Instructions on disabling a variety of security programs can be found at the link below.
http://www.bleepingc...opic114351.html
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users