planoguy

September 11, 2012

You heldped me to identify backdoor trojan about two three weeks ago. And I was advised to re-format the C drive (system drive). My question now is after re-formatting, re-install the windows xp and all the applications. How to make sure that the system is clean without malware and/or virus?

Thank you for your help.

Planoguy

August 25, 2012

Thank you, Maurice. I do have windows xp CD. I will start from there.

Couple of more questions. In addition to the C Drive, I have another internal drive designated as E and F (two logical partitions), and an external drive. All of them are data files. Do I un-plug them before starting re-install XP? How do I make sure they are not infected? Can virus, trojans, etc. be in a data file? If they can, how to remove them?

Planoguy

August 24, 2012

Hi Maurice:

Too bad to learn that my system is hacked by a trojan. (I am using another system to communicate with you right now.)

I think I like to clean the system completely. Can you give me the steps to completely reformat the dard drives and reinstall Windows fresh? What about the external drive? Is that external drive safe to use after reinstall the Windows?

Too bad to have this problem. On the other hand, thank you for finding out the problem for me and hope the damage is minimized as soon as possible.

Planoguy

August 24, 2012

Part 3 (last one)

.

-- 快照技術重新設置 --

.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*注意* 空白與合法缺省登錄將不會被顯示

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2012-02-07 16:41 4253544 ----a-w- c:\program files\MozyHome\mozyshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2012-02-07 16:41 4253544 ----a-w- c:\program files\MozyHome\mozyshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]

"QuiKProtect"="c:\program files\Iomega\QuikProtect\StartQuikProtect.exe" [2010-06-24 58672]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-06-07 296056]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk

backup=c:\windows\pss\MozyHome Status.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^清?紫光全能王手???系?.lnk]

backup=c:\windows\pss\清?紫光全能王手???系?.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Frank Liu^Start Menu^Programs^Startup^startQuikProtect.exe.lnk]

backup=c:\windows\pss\startQuikProtect.exe.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-07-27 20:51 35768 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2010-03-25 01:50 2516296 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]

2010-04-02 15:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cookienator]

2009-10-19 06:29 1333472 -c--a-w- c:\program files\Cookienator\cookienator.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]

2010-06-26 00:15 1311312 -c--a-w- c:\program files\Logitech\SetPointP\SetPoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2012-06-28 03:28 116648 ----atw- c:\documents and settings\Frank Liu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]

2007-07-25 21:02 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2007-07-25 21:06 2027792 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SanDiskSecureAccess_Manager.exe]

2011-11-26 00:11 27306624 ----a-w- c:\documents and settings\Frank Liu\Application Data\SanDisk\SanDiskSecureAccess_Manager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-06-09 18:06 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2012-06-07 03:57 296056 ----a-w- c:\program files\real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NitroReaderDriverReadSpool"=2 (0x2)

"avg9wd"=2 (0x2)

"PCToolsSSDMonitorSvc"=2 (0x2)

"ioloSystemService"=2 (0x2)

"ioloFileInfoList"=2 (0x2)

"MsMpSvc"=2 (0x2)

"YahooAUService"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"QSCopyEngine"=2 (0x2)

"PLFlash DeviceIoControl Service"=2 (0x2)

"ose"=3 (0x3)

"NMIndexingService"=3 (0x3)

"Nero BackItUp Scheduler 4.0"=2 (0x2)

"McciCMService"=2 (0x2)

"LBTServ"=3 (0x3)

"IHA_MessageCenter"=2 (0x2)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=3 (0x3)

"Brother XP spl Service"=2 (0x2)

"brmfrmps"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Iomega\\QuikProtect\\QuikProtect.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\WINPENJR\\win32\\PPupdwz.exe"=

"c:\\Program Files\\BETV\\BETV.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"50000:UDP"= 50000:UDP:IHA_MessageCenter

.

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010/8/19 2:27 PM 10448]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010/3/16 5:07 PM 655944]

R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010/6/24 5:04 PM 247088]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010/3/16 5:07 PM 22344]

R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2009/11/26 8:38 AM 47360]

R3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [2009/11/21 5:04 PM 19384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011/3/26 10:22 AM 136176]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012/7/13 1:28 PM 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012/4/3 11:10 AM 250568]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\Common\Database\bin\fbserver.exe [2011/7/23 10:31 PM 1527900]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011/3/26 10:22 AM 136176]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012/4/27 2:13 PM 113120]

S3 QianCaiHid;QianCai Handwriter Device;c:\windows\system32\drivers\HidKeyboard.sys [2010/12/14 3:28 PM 6400]

S4 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2010/10/13 6:06 PM 98304]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

‘計劃任務’ 文件夾裡的內容

.

2012-08-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 02:30]

.

2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd54de10e0c010.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-26 02:12]

.

2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-917075022-3912106595-2679439203-1006Core.job

- c:\documents and settings\Frank Liu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-23 03:28]

.

2012-08-24 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]

.

2012-08-24 c:\windows\Tasks\MpIdleTask.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]

.

2012-08-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-917075022-3912106595-2679439203-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]

.

2012-08-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-917075022-3912106595-2679439203-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]

.

2012-08-24 c:\windows\Tasks\User_Feed_Synchronization-{12E6D780-BBA6-4A53-9EDB-E778FFB2ECF0}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

------- Extra Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: citi.com\creditcards

Trusted Zone: itcu.org\www

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: yahoo.com\my

TCP: DhcpNameServer = 192.168.1.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Frank Liu\Application Data\Mozilla\Firefox\Profiles\bqdxhci7.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

MSConfigStartUp-PPHIDPAD - c:\winpenjr\Win32\pphidpad.exe

MSConfigStartUp-USBToolTip - c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-24 09:46

Windows 5.1.2600 Service Pack 3 NTFS

.

掃描被隱藏的進程 ...

.

掃描被隱藏的啟動組 ...

.

掃描被隱藏的文件 ...

.

掃描完成

被隱藏的檔案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-917075022-3912106595-2679439203-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- 運行進程下的動態鏈接庫 ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

Time Completed: 2012-08-24 09:50:19

ComboFix-quarantined-files.txt 2012-08-24 14:50

.

Pre-Run: 101,936,541,696 bytes free

Post-Run: 102,175,883,264 bytes free

.

- - End Of File - - D7C6690DB89699A4F57ABEAA909997E0

August 24, 2012

Hi Maurice

I run through all the steps but the problem is still there. Google Chrome can not be started. I tried to attach Combofix log but got an error msg saying that the file is too long. I will send you the log file in four separate posts.

First one

ComboFix 12-08-24.01 - Frank Liu /08/24 Fri 9:34.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.950.886.1033.18.1471.917 [GMT -5:00]

執行位置: c:\documents and settings\Frank Liu\Desktop\Combo-Fix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

((((((((((((((((((((((((((((((((((((((( Deleted Files )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Tempmozy-autoupdate-82af9a609219353256cb533e636b9416.exe

c:\documents and settings\Frank Liu\GoToAssistDownloadHelper.exe

c:\documents and settings\Frank Liu\My Documents\~WRL0003.tmp

c:\documents and settings\Frank Liu\WINDOWS

c:\windows\system32\OLD3E1.tmp

c:\windows\system32\OLD3E4.tmp

c:\windows\system32\OLD411.tmp

c:\windows\system32\OLD41C.tmp

c:\windows\system32\OLD5A3.tmp

c:\windows\system32\OLD63F.tmp

c:\windows\system32\OLD642.tmp

c:\windows\system32\OLD7A4.tmp

c:\windows\system32\OLD7A7.tmp

c:\windows\system32\OLD7AA.tmp

c:\windows\system32\OLD7AD.tmp

c:\windows\system32\OLD7B0.tmp

c:\windows\system32\OLD7B3.tmp

c:\windows\system32\OLD7BA.tmp

c:\windows\system32\OLD83B.tmp

c:\windows\system32\OLD88D.tmp

c:\windows\system32\OLD890.tmp

c:\windows\system32\OLD893.tmp

c:\windows\system32\OLD896.tmp

c:\windows\system32\OLD89C.tmp

c:\windows\system32\OLD8A1.tmp

c:\windows\system32\OLD8AA.tmp

c:\windows\system32\OLD942.tmp

c:\windows\system32\OLDAA4.tmp

c:\windows\system32\OLDB38.tmp

c:\windows\system32\SET144.tmp

c:\windows\system32\SET145.tmp

c:\windows\system32\SET146.tmp

c:\windows\system32\SET182.tmp

c:\windows\system32\SET183.tmp

c:\windows\system32\SET184.tmp

c:\windows\system32\SET185.tmp

c:\windows\system32\SET186.tmp

c:\windows\system32\SET187.tmp

c:\windows\system32\SET188.tmp

c:\windows\system32\SET189.tmp

c:\windows\system32\SET18A.tmp

c:\windows\system32\SET18B.tmp

c:\windows\system32\SET18C.tmp

c:\windows\system32\SET18D.tmp

c:\windows\system32\SET18E.tmp

c:\windows\system32\SET18F.tmp

c:\windows\system32\SET191.tmp

c:\windows\system32\SET192.tmp

c:\windows\system32\SET193.tmp

c:\windows\system32\SET194.tmp

c:\windows\system32\SET195.tmp

c:\windows\system32\SET196.tmp

c:\windows\system32\SET197.tmp

c:\windows\system32\SET198.tmp

c:\windows\system32\SET199.tmp

c:\windows\system32\SET19A.tmp

c:\windows\system32\SET19B.tmp

c:\windows\system32\SET19C.tmp

c:\windows\system32\SET19D.tmp

c:\windows\system32\SET19E.tmp

c:\windows\system32\SET19F.tmp

c:\windows\system32\SET1A0.tmp

c:\windows\system32\SET1A1.tmp

c:\windows\system32\SET1A2.tmp

c:\windows\system32\SET1A3.tmp

c:\windows\system32\SET1A4.tmp

c:\windows\system32\SET1A5.tmp

c:\windows\system32\SET1A6.tmp

c:\windows\system32\SET75.tmp

c:\windows\system32\SET78.tmp

c:\windows\system32\SET84.tmp

c:\windows\system32\SET86.tmp

c:\windows\system32\SETD6.tmp

c:\windows\system32\SETD7.tmp

c:\windows\system32\SETD9.tmp

c:\windows\system32\SETDA.tmp

c:\windows\system32\SETDB.tmp

c:\windows\system32\SETDF.tmp

c:\windows\system32\SETE0.tmp

c:\windows\system32\SETE1.tmp

c:\windows\system32\SETE6.tmp

c:\windows\system32\SETE7.tmp

c:\windows\system32\SETEA.tmp

c:\windows\system32\SETEB.tmp

c:\windows\system32\SETEC.tmp

c:\windows\system32\SETF0.tmp

c:\windows\system32\SETF3.tmp

c:\windows\system32\SETF4.tmp

c:\windows\system32\SETF5.tmp

c:\windows\system32\SETF6.tmp

c:\windows\system32\SETF7.tmp

c:\windows\system32\SETF9.tmp

c:\windows\system32\SETFA.tmp

c:\windows\system32\SETFB.tmp

c:\windows\system32\SETFD.tmp

c:\windows\system32\SETFE.tmp

c:\windows\system32\SETFF.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

((((((((((((((((((((((((( 2012-07-24 to 2012-08-24 New Files )))))))))))))))))))))))))))))))

.

2012-08-24 13:55 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BEC52919-918D-4E35-847D-C3EDE77D7E1B}\mpengine.dll

2012-08-23 19:54 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-08-23 19:21 . 2012-08-23 19:21 -------- d-----w- C:\rsit

2012-08-23 15:16 . 2012-08-23 19:44 -------- d-----w- c:\documents and settings\Frank Liu\Application Data\QuickScan

2012-08-23 14:59 . 2012-08-23 19:21 -------- d-----w- c:\program files\trend micro

2012-08-23 14:55 . 2012-08-23 14:55 -------- d-----w- c:\program files\ERUNT

2012-08-22 02:46 . 2012-08-24 14:27 -------- d-----w- c:\documents and settings\Frank Liu\Application Data\Skype

2012-08-22 02:46 . 2012-08-22 02:46 -------- d-----w- c:\program files\Common Files\Skype

2012-08-22 02:46 . 2012-08-22 02:46 -------- d-----r- c:\program files\Skype

2012-08-22 02:46 . 2012-08-22 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2012-08-22 02:39 . 2008-04-13 17:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2012-08-22 02:39 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2012-08-22 02:39 . 2008-04-13 23:12 20992 ----a-w- c:\windows\system32\dshowext.ax

2012-08-22 02:36 . 2007-07-19 00:44 3599000 ----a-w- c:\windows\system32\drivers\lvuvc.sys

2012-08-22 02:36 . 2007-07-19 00:44 465432 ----a-w- c:\windows\system32\LVUI2RC.dll

2012-08-22 02:36 . 2007-07-19 00:40 416280 ----a-w- c:\windows\system32\lvcodec2.dll

2012-08-22 02:36 . 2007-07-19 00:43 490008 ----a-w- c:\windows\system32\LVUI2.dll

2012-08-22 02:36 . 2007-07-19 00:42 1920920 ----a-w- c:\windows\system32\drivers\lvpopflt.sys

2012-08-22 02:36 . 2007-07-18 23:55 19344 ----a-w- c:\windows\system32\Repository.reg

2012-08-22 02:36 . 2007-07-19 00:44 22296 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys

2012-08-22 02:36 . 2007-07-19 00:44 41752 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys

2012-08-22 02:36 . 2007-07-19 00:40 195096 ----a-w- c:\windows\system32\lvci1110.dll

2012-08-22 02:35 . 2012-08-22 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech

2012-08-01 15:50 . 2012-08-12 20:59 -------- d-----w- c:\program files\BETV

2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

(((((((((((((((((((((((((((((((((((((((( Modified Files in Three Months ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-22 02:30 . 2012-04-03 16:10 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-22 02:30 . 2011-05-20 12:23 73416 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-06 13:58 . 2009-11-15 18:50 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05 . 2009-11-15 18:53 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 18:46 . 2010-03-16 22:07 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-03 13:40 . 2005-05-20 00:14 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-07-02 17:49 . 2005-05-20 00:14 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49 . 2009-11-15 18:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-07-02 17:49 . 2009-11-15 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-07-02 12:05 . 2009-11-15 18:51 385024 ------w- c:\windows\system32\html.iec

2012-06-17 14:33 . 2012-06-17 14:33 12557904 ----a-w- c:\documents and settings\All Users\Tempmozy-autoupdate-864934ef6e2b54a6f5dcfa6e472922e2.exe

2012-06-07 03:57 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2012-06-07 03:57 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2012-06-07 01:59 . 2012-06-07 01:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX

2012-06-05 15:50 . 2009-11-15 18:52 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll

2012-06-04 04:32 . 2009-11-15 18:53 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 20:19 . 2009-08-07 01:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19 . 2009-11-15 18:54 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 20:19 . 2009-11-15 18:54 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 20:19 . 2009-11-15 18:54 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19 . 2009-08-07 01:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19 . 2009-11-15 18:54 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 20:19 . 2009-11-15 18:54 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 20:19 . 2009-11-15 18:50 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 20:19 . 2009-08-07 01:24 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 20:19 . 2009-08-07 01:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19 . 2009-08-07 01:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:19 . 2009-11-15 18:54 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 20:19 . 2009-11-15 18:54 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 20:18 . 2010-02-15 09:10 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18 . 2010-02-15 09:10 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18 . 2010-02-15 09:10 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 17:25 . 2009-12-14 16:59 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-05-31 13:22 . 2009-11-15 18:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2010-07-14 15:56 . 2010-09-18 11:53 417944 ----a-w- c:\program files\Common Files\ZugoInstaller.exe

2010-05-09 05:14 . 2010-12-14 14:28 5387 ----a-w- c:\program files\apply.cmd

2010-04-24 04:33 . 2010-12-14 14:28 911800 ----a-w- c:\program files\amtlib.dll

2000-08-04 23:59 . 2012-06-16 03:30 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2010-06-03 19:36 . 2010-08-18 03:23 13696 -c--a-w- c:\program files\mozilla firefox\components\CntvSpeedup.dll

.

August 23, 2012

Here is the start of step 5 thru 7

QuickScan 32-bit v0.9.9.118

---------------------------

Scan date: Thu Aug 23 14:44:58 2012

Machine ID: 5C71CD09

No infection found.

-------------------

Processes

---------

Microsoft® Windows® Operating System 9640 C:\WINDOWS\system32\notepad.exe

(verified) Google Update 568 C:\Program Files\Google\Update\GoogleUpdate.exe

(verified) Java Platform SE 6 U29 560 C:\Program Files\Java\jre6\bin\jqs.exe

(verified) Logitech QuickCam 616 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

(verified) Logitech QuickCam 2908 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

(verified) Logitech QuickCam 1616 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

(verified) Malwarebytes Anti-Malware 348 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

(verified) Microsoft Malware Protection 1100 C:\Program Files\Microsoft Security Client\MsMpEng.exe

(verified) Microsoft Security Client 148 C:\Program Files\Microsoft Security Client\msseces.exe

(verified) Microsoft® Windows® Operating System 1684 C:\WINDOWS\explorer.exe

(verified) Microsoft® Windows® Operating System 1764 C:\WINDOWS\system32\alg.exe

(verified) Microsoft® Windows® Operating System 3488 C:\WINDOWS\system32\conime.exe

(verified) Microsoft® Windows® Operating System 684 C:\WINDOWS\system32\csrss.exe

(verified) Microsoft® Windows® Operating System 1712 C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System 768 C:\WINDOWS\system32\lsass.exe

(verified) Microsoft® Windows® Operating System 756 C:\WINDOWS\system32\services.exe

(verified) Microsoft® Windows® Operating System 400 C:\WINDOWS\system32\smss.exe

(verified) Microsoft® Windows® Operating System 1584 C:\WINDOWS\system32\spoolsv.exe

(verified) Microsoft® Windows® Operating System 232 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 464 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1140 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1232 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1396 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1000 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 936 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 712 C:\WINDOWS\system32\winlogon.exe

(verified) Microsoft® Windows® Operating System 9712 C:\WINDOWS\system32\wscntfy.exe

(verified) MozyHome 672 C:\Program Files\MozyHome\mozybackup.exe

(verified) NVIDIA Driver Helper Service, Version 7 688 C:\WINDOWS\system32\nvsvc32.exe

(verified) Quik Protect (x32) 1804 C:\Program Files\Iomega\QuikProtect\QpMonitor.exe

(verified) QuikProtect 7364 C:\Program Files\Iomega\QuikProtect\QuikProtect.exe

(verified) RealPlayer (32-bit) 160 C:\Program Files\real\realplayer\Update\realsched.exe

(verified) Skype 636 C:\Program Files\Skype\Phone\Skype.exe

(verified) Windows® Internet Explorer 3520 C:\Program Files\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 6252 C:\Program Files\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 8360 C:\Program Files\Internet Explorer\iexplore.exe

Network activity

----------------

Process Skype.exe (636) connected on port 40008 --> 157.55.130.162

Process Skype.exe (636) connected on port 443 (HTTP over SSL) --> 64.4.44.29

Process Skype.exe (636) connected on port 12350 --> 78.141.179.15

Process iexplore.exe (8360) connected on port 80 (HTTP) --> 74.125.227.41

Process iexplore.exe (8360) connected on port 80 (HTTP) --> 74.125.227.45

Process iexplore.exe (8360) connected on port 80 (HTTP) --> 74.125.227.49

Process iexplore.exe (8360) connected on port 80 (HTTP) --> 74.125.227.57

Process Skype.exe (636) listens on ports: 80 (HTTP), 62825

Process svchost.exe (1000) listens on ports: 135 (RPC)

Autoruns and critical files

---------------------------

(verified) Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

(verified) Adobe® Flash® Player Update Service C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

(verified) Google Update C:\Documents and Settings\Frank Liu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

(verified) Google Update C:\Program Files\Google\Update\GoogleUpdate.exe

(verified) Logitech SetPoint c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

(verified) Malwarebytes Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

(verified) Microsoft Malware Protection C:\Program Files\Microsoft Security Client\MpCmdRun.exe

(verified) Microsoft Security Client C:\Program Files\Microsoft Security Client\msseces.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\CRYPT32.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\logon.scr

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll

(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll

(verified) NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\nvcpl.dll

(verified) RealPlayer (32-bit) C:\Program Files\real\realplayer\Update\realsched.exe

(verified) RealUpgrade C:\Program Files\Real\RealUpgrade\realupgrade.exe

(verified) Skype C:\Program Files\Skype\Phone\Skype.exe

(verified) startQuikProtect C:\Program Files\Iomega\QuikProtect\StartQuikProtect.exe

(verified) Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe

(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

Browser plugins

---------------

(unsigned) Google Earth Plugin C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

(unsigned) Java Platform SE 6 U29 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

(unsigned) RealJukebox NS Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll

(unsigned) RealJukebox NS Plugin c:\program files\real\realplayer\Netscape6\nprjplug.dll

(unsigned) RealNetworks Chrome Background Exte C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll

(unsigned) RealPlayer HTML5VideoShim Plug-In ( C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

(verified) 2007 Microsoft Office system C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL

(verified) AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll

(verified) Adobe Acrobat C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll

(verified) Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

(verified) Bitdefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll

(verified) CANON iMAGE GATEWAY Album Plugin Utilit C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

(verified) Flash® Player Installer/Uninstaller C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe

(verified) Flash® Player Installer/Uninstaller C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe

(verified) Google Update C:\Documents and Settings\Frank Liu\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll

(verified) Google Update C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll

(verified) Java Deployment Toolkit 6.0.290.11 C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

(verified) Java Platform SE 6 U29 C:\Program Files\Java\jre6\bin\jp2ssv.dll

(verified) Java Platform SE 6 U29 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

(verified) Messenger C:\Program Files\Messenger\msmsgs.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\mswsock.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll

(verified) NPSWF32_11_3_300_257.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_257.dll

(verified) Photo Uploader C:\WINDOWS\Downloaded Program Files\UploaderX.dll

(verified) PhotoCenter Active X control C:\WINDOWS\Downloaded Program Files\Photochannel.dll

(verified) Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll

(verified) RealPlayer Download and Record Plugin C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

(verified) RealPlayer Download Plugin C:\Program Files\Mozilla Firefox\plugins\nprpplugin.dll

(verified) RealPlayer Download Plugin c:\program files\real\realplayer\Netscape6\nprpplugin.dll

(verified) RealPlayer G2 LiveConnect-Enabled P C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll

(verified) RealPlayer G2 LiveConnect-Enabled P c:\program files\real\realplayer\Netscape6\nppl3260.dll

(verified) Silverlight Plug-In C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll

(verified) Windows Presentation Foundation C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

(verified) Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll

(verified) Yahoo! Toolbar c:\program files\yahoo!\companion\installs\cpn0\yt.dll

Scan

----

MD5: e670ce1a52782d364156056ed28d2161 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll

MD5: 10737b44923217bc0e67d26a9fc1f0aa C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll

MD5: 2645990c521342dcd08963d2df6cd0d2 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

MD5: 167d24a045499ebef438f231976158df C:\MAGIX\Common\Database\bin\fbserver.exe

MD5: 2437be68d5a37a75fad51c5f0e9a03ed C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

MD5: 1e96525ae85d402f9f8047f8caef5f06 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

MD5: 90492e00ee4c916123bec5d267894e8c C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll

MD5: ca6f7021f560fc9ee7b7471795aa628f C:\Program Files\MozyHome\LIBEAY32.dll

MD5: a14a07c8e27e4e4c13f251d76b65e98e C:\Program Files\MozyHome\SSLEAY32.dll

MD5: 90492e00ee4c916123bec5d267894e8c c:\program files\real\realplayer\Netscape6\nprjplug.dll

MD5: f835d707a2756f3ac756331dc2e5fde2 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\016444dfc5f7e3d11c776f2fbc7a4594\Accessibility.ni.dll

MD5: 2f0539bff032d35ba47c341a988be1ff C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\359fd69eb60e9844ffd497e92345178c\Microsoft.VisualBasic.ni.dll

MD5: dec7885b2ef0966ea285c9a40e7afba4 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll

MD5: 1d52bcaf65ec439c735ed109431d1c09 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll

MD5: c05a4d494c3096782f80cfdf7f4aefa8 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll

MD5: 397d3ef4842d6454fa68218438165a5d C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\9080c8e8e7b6dfb502c1328673d636f8\System.Management.ni.dll

MD5: b7a48556eb302cd02a725d2d425f2d0c C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll

MD5: a7e9d45b18a13dc18e3c0311d1cf620f C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll

MD5: 8563f5a4f6342ba64e7c398f7efcc350 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll

MD5: 72cadf7ee0722dae4a6b98eefeac06bc C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll

MD5: 0607cbc6fa20114cb491efe4b2f9efad C:\WINDOWS\system32\d3d9.dll

MD5: bb8dc530b88f47dd2a37915480aa6cd2 C:\WINDOWS\system32\dshowext.ax

MD5: f1941197a42f9f373cc70042fc82c950 C:\WINDOWS\system32\ksproxy.ax

MD5: c9ef69b25dfa1c0e7932cb02fb8a7e91 C:\WINDOWS\system32\kswdmcap.ax

MD5: 76848cb1aa5818db47d5f5986e0a7485 C:\WINDOWS\system32\MFC42.DLL

MD5: 5e28284f9b5f9097640d58a73d38ad4c C:\WINDOWS\system32\notepad.exe

MD5: d0049860b63dd87a73a5d165c829c65f C:\WINDOWS\system32\T2EMBED.DLL

MD5: 94ba90c6af5c50ff5f7a6392514c4642 C:\WINDOWS\system32\vidcap.ax

MD5: 9eefe69139fdbb4a3c327630f8eb993a C:\WINDOWS\system32\wlanapi.dll

MD5: 18473f44d6de85c8cb4e70f503c5ea64 C:\WINDOWS\System32\xactsrv.dll

MD5: 1f5afd468eb5e09e9ed75a087529eab5 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL

MD5: 28a09777d2d952122567a8a82f1a2c7b C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\MFC80ENU.DLL

No file uploaded.

Scan finished - communication took 1 sec

Total traffic - 0.00 MB sent, 0.14 KB recvd

Scanned 628 files and modules - 127 seconds

==============================================================================

Step 6

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Frank Liu [Admin rights]

Mode: Scan -- Date: 08/23/2012 14:51:12

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SP1604N +++++

--- User ---

[MBR] 62f07d074c1ea5a4720fffc1fdfa7219

[bSP] 709a9d4529d10caafc13093f815046ab : Standard MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

Error reading LL1 MBR!

Error reading LL2 MBR!

+++++ PhysicalDrive1: ST3400620A +++++

--- User ---

[MBR] da750aa383971399d9e72eebdb803397

[bSP] ab891c45853e9ceb9a74972a00a05374 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 1008 | Size: 190720 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 390595968 | Size: 190831 Mo

Error reading LL1 MBR!

Error reading LL2 MBR!

+++++ PhysicalDrive2: SAMSUNG HD103SI USB Device +++++

--- User ---

[MBR] 7435b395373533bcd39085cd12602a0e

[bSP] 3a263ec662f61a27d74cd7a536bc3337 : TestDisk MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Should have all txt files as you mentioned. Please kindly let me know if anything needed. Thank you again for your help.

Planoguy

August 23, 2012

Thanks for your quick reponse.

I run first 4 steps with three reports log.txt, info.txt and checkup.txt as follows. Will now run step 5 and attach additional reports in next reply.

Logfile of random's system information tool 1.09 (written by random/random)

Run by Frank Liu at 2012-08-23 14:21:03

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 97 GB (64%) free of 153 GB

Total RAM: 1471 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:21:09 PM, on 2012/8/23

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Iomega\QuikProtect\QpMonitor.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\program files\real\realplayer\update\realsched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\conime.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Iomega\QuikProtect\QuikProtect.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Frank Liu\Desktop\chrome\RSIT.exe

C:\Program Files\trend micro\Frank Liu.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuiKProtect] C:\Program Files\Iomega\QuikProtect\StartQuikProtect.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://update.microsoft.com

O15 - Trusted Zone: http://windowsupdate.microsoft.com

O15 - Trusted Zone: http://my.yahoo.com

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/69.10/uploader2.cab

O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (Bitdefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab

O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5985/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIXR - C:\MAGIX\Common\Database\bin\fbserver.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: QPCopyEngine - Unknown owner - C:\Program Files\Iomega\QuikProtect\QpMonitor.exe

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

--

End of file - 7731 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Adobe Flash Player Updater.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd54de10e0c010.job

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-917075022-3912106595-2679439203-1006Core.job

C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job

C:\WINDOWS\tasks\MpIdleTask.job

C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-917075022-3912106595-2679439203-1006.job

C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-917075022-3912106595-2679439203-1006.job

C:\WINDOWS\tasks\User_Feed_Synchronization-{12E6D780-BBA6-4A53-9EDB-E778FFB2ECF0}.job

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\Frank Liu\Application Data\Mozilla\Firefox\Profiles\bqdxhci7.default

prefs.js - "browser.startup.homepage" - "http://my.yahoo.com/"<p>"{20a82645-c095-46ed-80e3-08825760534b}"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

"

August 23, 2012

Hi Maurice

Thanks for your help. Run thru 7 steps and here are the reports

Logfile of random's system information tool 1.09 (written by random/random)

Run by Frank Liu at 2012-08-23 10:01:17

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 97 GB (64%) free of 153 GB

Total RAM: 1471 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:01:23 AM, on 2012/8/23

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Iomega\QuikProtect\QpMonitor.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\program files\real\realplayer\update\realsched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Iomega\QuikProtect\QuikProtect.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\conime.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Frank Liu\Desktop\RSIT.exe