Jump to content

Please help with Fake antivirus program and web redirected virus


Recommended Posts

I already run HJT and Malwarebytes.

Malwarebytes detected a lot of infections, but when I restarted my computer, the fake antivirus program is still there.

It prevents me from opening ANY programs, I can't even use "Ctrl + Alt + Del".

My computer was also infected by web redirecting adware. I used Combo Fix, it works for 2 days, but viruses came back again ;)

I'm desperate, I don't have the recovery disc, I tried to use the recovery system on my computer, but won't run. And I don't know if recovery would help.

OS: It was Windows Vista when I bought it, but I downgraded it to WinXP

Model: Samsung Q210

This is my HJT log

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at

mbam_log_2010_08_24__21_45_04_.txt

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

OTL LOG

OTL logfile created on: 2010/8/25 ?? 05:45:02 - Run 1

OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\SIUNANA\??

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000404 | Country: ?? | Language: CHT | Date Format: yyyy/M/d

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\XP | %ProgramFiles% = C:\Program Files

Drive C: | 80.88 Gb Total Space | 8.44 Gb Free Space | 10.44% Space Free | Partition Type: NTFS

Drive D: | 142.00 Gb Total Space | 94.56 Gb Free Space | 66.59% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NANA

Current User Name: SIUNANA

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/25 17:37:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SIUNANA\??\OTL.exe

PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2009/08/17 12:32:42 | 002,539,520 | ---- | M] () -- D:\Program Files\Yahoo!\KeyKey\KeyKeyServer.exe

PRC - [2008/12/23 10:18:55 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\XP\system32\igfxext.exe

PRC - [2008/10/07 02:13:44 | 002,772,992 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe

PRC - [2008/10/06 03:07:26 | 000,679,936 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

PRC - [2008/07/10 05:42:14 | 000,819,200 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe

PRC - [2008/07/10 05:23:22 | 000,901,120 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

PRC - [2008/07/10 05:13:50 | 001,191,936 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

PRC - [2008/07/10 05:12:40 | 000,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

PRC - [2008/06/24 17:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

PRC - [2008/05/21 01:44:30 | 000,299,008 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\MagicKBD\PerformanceManager.exe

PRC - [2008/05/20 05:02:08 | 000,372,736 | ---- | M] (SAMSUNG Electronics Co., Ltd.) -- C:\Program Files\Samsung\MagicKBD\MagicKBD.exe

PRC - [2008/04/14 15:00:32 | 000,978,432 | ---- | M] (Microsoft Corporation) -- C:\XP\explorer.exe

PRC - [2008/01/16 02:37:38 | 000,031,248 | ---- | M] (Syntek America Inc.) -- C:\XP\system32\StkCSrv.exe

PRC - [2007/12/20 05:40:30 | 000,659,456 | ---- | M] (Samsung Electronics,.LTD) -- C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

PRC - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

PRC - [2006/11/30 08:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

PRC - [2006/11/30 08:50:00 | 000,112,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

PRC - [2006/11/30 08:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

PRC - [2006/11/17 13:40:56 | 000,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

PRC - [2006/11/17 13:39:58 | 000,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe

PRC - [2006/11/17 13:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe

PRC - [2006/11/17 03:06:00 | 000,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe

PRC - [2006/11/02 15:24:32 | 000,184,320 | ---- | M] (VoyagerSoft, LLC) -- D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

PRC - [2006/05/21 19:37:20 | 000,262,144 | ---- | M] () -- C:\XP\tsnp2std.exe

PRC - [2006/05/15 00:52:22 | 000,675,840 | ---- | M] (Sonix) -- C:\XP\vsnp2std.exe

PRC - [2006/04/20 08:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

========== Modules (SafeList) ==========

MOD - [2010/08/25 17:37:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SIUNANA\??\OTL.exe

MOD - [2008/04/14 14:57:12 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\XP\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)

SRV - File not found [Auto | Stopped] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)

SRV - [2010/06/22 20:01:57 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2008/12/01 12:01:02 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®

SRV - [2008/07/10 05:42:14 | 000,819,200 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)

SRV - [2008/07/10 05:23:22 | 000,901,120 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)

SRV - [2008/07/10 05:12:40 | 000,466,944 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)

SRV - [2008/01/16 02:37:38 | 000,031,248 | ---- | M] (Syntek America Inc.) [Auto | Running] -- C:\XP\system32\StkCSrv.exe -- (StkSSrv)

SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

SRV - [2006/11/30 08:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)

SRV - [2006/11/30 08:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)

SRV - [2006/11/17 13:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2006/11/02 15:24:32 | 000,184,320 | ---- | M] (VoyagerSoft, LLC) [Auto | Running] -- D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe -- (ScReadSpool)

SRV - [2006/04/20 08:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\XP\System32\drivers\scsk4.sys -- (scsk4)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)

DRV - [2009/06/11 16:34:34 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\XP\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\XP\system32\drivers\nuidfltr.sys -- (NuidFltr)

DRV - [2008/12/23 10:55:07 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2008/12/23 10:51:34 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\btwusb.sys -- (BTWUSB)

DRV - [2008/12/23 10:51:33 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\XP\system32\drivers\btwdndis.sys -- (BTWDNDIS)

DRV - [2008/12/23 10:51:32 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\btport.sys -- (BTDriver)

DRV - [2008/12/23 10:51:31 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\btkrnl.sys -- (BTKRNL)

DRV - [2008/12/23 10:51:30 | 000,539,072 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\btaudio.sys -- (btaudio)

DRV - [2008/12/23 10:18:59 | 000,110,080 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®

DRV - [2008/12/23 10:18:56 | 006,043,040 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2008/08/05 19:03:00 | 000,289,664 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\yk51x86.sys -- (yukonwxp)

DRV - [2008/07/13 17:10:10 | 000,006,656 | ---- | M] (alipay.com) [Kernel | On_Demand | Running] -- C:\XP\System32\drivers\alidevice.sys -- (Alidevice)

DRV - [2008/06/25 15:15:34 | 003,630,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®

DRV - [2008/04/18 00:48:50 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\XP\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\XP\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 15:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/03/28 04:19:52 | 001,363,088 | ---- | M] (Syntek) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\StkCMini.sys -- (StkCMini)

DRV - [2008/01/14 04:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)

DRV - [2006/11/30 08:50:00 | 000,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2006/11/30 08:50:00 | 000,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2006/11/30 08:50:00 | 000,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\mfeapfk.sys -- (mfeapfk)

DRV - [2006/11/30 08:50:00 | 000,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\XP\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2006/11/30 08:50:00 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2006/06/06 19:34:36 | 010,305,280 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\XP\system32\drivers\snp2sxp.sys -- (SNP2STD) USB2.0 PC Camera (SNP2STD)

DRV - [2006/04/20 08:33:40 | 000,303,740 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\XP\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)

DRV - [2005/06/29 19:50:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\XP\system32\drivers\dne2000.sys -- (DNE)

DRV - [2005/05/17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\XP\system32\drivers\CVirtA.sys -- (CVirtA)

DRV - [2005/01/26 06:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\XP\system32\vsdatant.sys -- (vsdatant)

DRV - [2004/08/04 13:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\XP\system32\drivers\fsvga.sys -- (FsVga)

DRV - [2000/08/23 10:19:38 | 000,004,300 | ---- | M] () [Kernel | Auto | Running] -- C:\XP\system32\MEMIO.SYS -- (DOSMEMIO)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\XP\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\XP\system32\blank.htm

IE - HKU\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/

IE - HKU\S-1-5-21-329068152-117609710-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-329068152-117609710-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-329068152-117609710-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://zh-TW.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:zh-TW:official"

FF - prefs.js..extensions.enabledItems: {21cfaec0-dbb3-11dc-95ff-0800200c9a66}:1.1.2.4

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.28

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {d4162096-42ad-1506-0875-f77be55c5148}:4.6.6.8

FF - prefs.js..keyword.URL: "http://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/22 22:24:54 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/22 22:24:54 | 000,000,000 | ---D | M]

[2008/12/23 22:23:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Extensions

[2010/08/21 16:45:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\extensions

[2010/08/02 22:51:02 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

[2008/12/27 09:38:00 | 000,000,000 | ---D | M] (Thunder Extension) -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\extensions\{1B33E42F-EF14-4cd3-B6DC-174571C4349C}

[2009/06/28 18:37:59 | 000,000,000 | ---D | M] (Easy DragToGo) -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\extensions\{21cfaec0-dbb3-11dc-95ff-0800200c9a66}

[2009/06/04 00:59:24 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}

[2009/01/04 15:30:20 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

[2009/01/07 11:52:22 | 000,003,871 | ---- | M] () -- C:\Documents and Settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\searchplugins\baidu.xml

[2010/08/21 16:45:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/05/23 10:04:44 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files\Mozilla Firefox\extensions\{d4162096-42ad-1506-0875-f77be55c5148}

[2009/07/10 16:35:59 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\Access Privileges Test

[2004/07/02 15:51:00 | 000,327,904 | ---- | M] (Macromedia, Inc.) -- C:\Program Files\Mozilla Firefox\components\np32asw.dll

[2008/12/18 01:43:04 | 000,036,864 | ---- | M] (????) -- C:\Program Files\Mozilla Firefox\components\NsThunderLoader.dll

[2008/12/18 01:43:04 | 000,053,248 | ---- | M] (Thunder Networking Technologies,LTD) -- C:\Program Files\Mozilla Firefox\components\ThunderComponent.dll

[2004/07/02 15:51:00 | 000,327,904 | ---- | M] (Macromedia, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32asw.dll

[2008/12/15 16:05:50 | 000,234,496 | ---- | M] (Alipay.com co.,ltd) -- C:\Program Files\Mozilla Firefox\plugins\npaliedit.dll

[2007/04/16 10:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

[2007/03/09 16:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

[2010/08/22 22:24:49 | 000,002,310 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\findbook-zh-TW.xml

[2010/08/22 22:24:49 | 000,001,222 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-zh-TW.xml

[2010/08/22 22:24:49 | 000,001,360 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-answer-zh-TW.xml

[2010/08/22 22:24:49 | 000,000,843 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-bid-zh-TW.xml

[2010/08/22 22:24:49 | 000,001,161 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-zh-TW.xml

O1 HOSTS File: ([2010/08/09 22:10:47 | 000,000,027 | ---- | M]) - C:\XP\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (ThunderAtOnce Class) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (Thunder Networking Technologies,LTD)

O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)

O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)

O2 - BHO: (TBSB05974 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Search Toolbar\tbcore3.dll File not found

O3 - HKLM\..\Toolbar: (Dr.eye WebPage Translation) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll ()

O4 - HKLM..\Run: [batteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()

O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)

O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)

O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

O4 - HKLM..\Run: [iMJPMIG8.1] C:\XP\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [intelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)

O4 - HKLM..\Run: [jgcdsdvh] C:\Documents and Settings\NetworkService\Local Settings\Application Data\fecuxmyyc\jgsjxlkshdw.exe ()

O4 - HKLM..\Run: [KeyKeyServer] D:\Program Files\Yahoo!\KeyKey\KeyKeyServer.exe ()

O4 - HKLM..\Run: [MagicKeyboard] C:\Program Files\Samsung\MagicKBD\PreMKbd.exe ()

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [nmknnljs] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hciwxjxvt\jheoeagshdw.exe ()

O4 - HKLM..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE (Microsoft Corp.)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [snp2std] C:\XP\vsnp2std.exe (Sonix)

O4 - HKLM..\Run: [tsnp2std] C:\XP\tsnp2std.exe ()

O4 - HKU\.DEFAULT..\Run: [jgcdsdvh] C:\Documents and Settings\NetworkService\Local Settings\Application Data\fecuxmyyc\jgsjxlkshdw.exe ()

O4 - HKU\.DEFAULT..\Run: [nmknnljs] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hciwxjxvt\jheoeagshdw.exe ()

O4 - HKU\S-1-5-18..\Run: [jgcdsdvh] C:\Documents and Settings\NetworkService\Local Settings\Application Data\fecuxmyyc\jgsjxlkshdw.exe ()

O4 - HKU\S-1-5-18..\Run: [nmknnljs] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hciwxjxvt\jheoeagshdw.exe ()

O4 - HKU\S-1-5-21-329068152-117609710-1177238915-1003..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)

O4 - Startup: C:\Documents and Settings\All Users.XP\???????\???\??\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-329068152-117609710-1177238915-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &???? FlashGet ?? - C:\Program Files\FlashGet\JC_ALL.HTM ()

O8 - Extra context menu item: &?? FlashGet ?? - C:\Program Files\FlashGet\JC_LINK.HTM ()

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\XP\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: ????????? - C:\Program Files\nEO iMAGING\NeoOpenNeo.htm ()

O8 - Extra context menu item: ?????? - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm ()

O8 - Extra context menu item: ?????????? - C:\Program Files\Thunder Network\Thunder\Program\getAllurl.htm ()

O8 - Extra context menu item: ???QQ?? - D:\Program Files\Tencent\QQ\Bin\AddEmotion.htm ()

O9 - Extra Button: ????5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe (Thunder Networking Technologies,LTD)

O9 - Extra 'Tools' menuitem : ????5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe (Thunder Networking Technologies,LTD)

O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)

O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm File not found

O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm File not found

O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)

O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKU\S-1-5-21-329068152-117609710-1177238915-1003\..Trusted Domains: localhost ([]http in ??????)

O15 - HKU\S-1-5-21-329068152-117609710-1177238915-1003\..Trusted Ranges: GD ([http] in ??????)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (UnoCtrl Class)

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} http://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab (Bejeweled Control)

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} http://plugin.inicis.com/wallet60/INIwallet60.cab (INIwallet60 Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\XP\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\XP\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop Components:0 (?????) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\SIUNANA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\SIUNANA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/25 17:43:09 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\SIUNANA\??\OTL.exe

[2010/08/24 22:00:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.XP\Application Data\t

[2010/08/24 19:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\Application Data\Malwarebytes

[2010/08/24 19:50:52 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\XP\System32\drivers\mbamswissarmy.sys

[2010/08/24 19:50:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\XP\System32\drivers\mbam.sys

[2010/08/24 19:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.XP\Application Data\Malwarebytes

[2010/08/24 19:50:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/08/24 19:47:02 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\SIUNANA\??\mbam-setup-1.46.exe

[2010/08/24 19:05:33 | 000,000,000 | ---D | C] -- C:\XP\CSC

[2010/08/24 18:29:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\My Documents\Pantech PCSuite

[2010/08/23 22:01:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fecuxmyyc

[2010/08/23 22:01:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\hciwxjxvt

[2010/08/23 22:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2010/08/23 22:00:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2010/08/23 18:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/08/23 18:35:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/08/19 20:16:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\??\copy

[2010/08/19 20:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\??\xvi32

[2010/08/19 20:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\??\NPSWF32_20100213

[2010/08/17 22:13:56 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2010/08/17 21:25:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\Help

[2010/08/17 21:25:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\Application Data\Help

[2010/08/15 13:01:34 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/08/12 21:36:08 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\SIUNANA\??\HijackThis.exe

[2010/08/08 17:36:59 | 000,000,000 | ---D | C] -- C:\XP\ie8updates

[2010/08/08 16:33:33 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/08/08 16:29:03 | 000,000,000 | ---D | C] -- C:\XP\ERDNT

[2010/08/08 16:28:24 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/08/07 16:25:00 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\XP\System32\dllcache\msfeeds.dll

[2010/08/07 16:25:00 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\XP\System32\dllcache\msfeedsbs.dll

[2010/08/07 16:24:55 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\XP\System32\dllcache\iedvtool.dll

[2010/08/07 16:24:54 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\XP\System32\dllcache\iertutil.dll

[2010/08/07 16:24:51 | 011,076,096 | ---- | C] (Microsoft Corporation) -- C:\XP\System32\dllcache\ieframe.dll

[2010/08/07 13:59:50 | 001,870,800 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\SIUNANA\??\HousecallLauncher.exe

[2010/08/06 23:53:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft XNA

[2010/08/06 23:52:19 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\XP\System32\spmsg2.dll

[2010/08/06 23:48:56 | 000,000,000 | ---D | C] -- C:\XP\System32\XPSViewer

[2010/08/06 23:48:49 | 000,000,000 | ---D | C] -- C:\XP\System32\en-us

[2010/08/06 23:29:27 | 100,129,178 | ---- | C] (Zombie Cow Studios ) -- C:\Documents and Settings\SIUNANA\??\privatesdownload.exe

[2010/08/01 22:43:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2010/08/01 11:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\.gnome2_private

[2010/08/01 11:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\.gnome2

[2010/08/01 11:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\.gconfd

[2010/08/01 11:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\.gconf

[2010/08/01 11:22:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\.gnucash

[2010/07/30 20:36:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SIUNANA\??\????

[2008/12/30 08:37:01 | 000,147,456 | ---- | C] ( ) -- C:\XP\rsnp2std.dll

[2008/12/30 08:37:01 | 000,053,248 | ---- | C] ( ) -- C:\XP\System32\csnp2std.dll

========== Files - Modified Within 30 Days ==========

[2010/08/25 17:39:12 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\RKUnhookerLE.EXE

[2010/08/25 17:37:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SIUNANA\??\OTL.exe

[2010/08/25 00:28:00 | 000,000,644 | ---- | M] () -- C:\XP\tasks\GoogleUpdateTaskUserS-1-5-21-329068152-117609710-1177238915-1003UA.job

[2010/08/24 22:00:00 | 000,000,240 | ---- | M] () -- C:\XP\tasks\e69ac.job

[2010/08/24 22:00:00 | 000,000,232 | ---- | M] () -- C:\XP\tasks\e69b.job

[2010/08/24 22:00:00 | 000,000,026 | ---- | M] () -- C:\XP\System32\34-61-47101

[2010/08/24 21:52:11 | 000,002,206 | ---- | M] () -- C:\XP\System32\wpa.dbl

[2010/08/24 21:51:10 | 000,000,006 | -H-- | M] () -- C:\XP\tasks\SA.DAT

[2010/08/24 21:51:08 | 000,002,048 | --S- | M] () -- C:\XP\bootstat.dat

[2010/08/24 21:50:24 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\SIUNANA\NTUSER.DAT

[2010/08/24 21:50:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\SIUNANA\ntuser.ini

[2010/08/24 19:50:55 | 000,000,716 | ---- | M] () -- C:\Documents and Settings\All Users.XP\??\Malwarebytes' Anti-Malware.lnk

[2010/08/24 19:45:42 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\SIUNANA\??\mbam-setup-1.46.exe

[2010/08/24 18:47:57 | 000,220,672 | ---- | M] () -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/08/23 21:22:41 | 000,320,000 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\FDR MPS Auth Grid.xls

[2010/08/23 18:01:15 | 000,065,856 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\animal.jpg

[2010/08/23 17:37:08 | 000,000,069 | ---- | M] () -- C:\XP\NeroDigital.ini

[2010/08/21 16:24:02 | 000,597,802 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\IMG_0445.JPG

[2010/08/21 16:24:01 | 000,541,690 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\IMG_0444.JPG

[2010/08/21 16:24:00 | 000,493,263 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\IMG_0441.JPG

[2010/08/21 16:23:59 | 000,516,887 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\IMG_0443.JPG

[2010/08/21 16:23:57 | 000,477,728 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\IMG_0442.JPG

[2010/08/21 05:28:00 | 000,000,592 | ---- | M] () -- C:\XP\tasks\GoogleUpdateTaskUserS-1-5-21-329068152-117609710-1177238915-1003Core.job

[2010/08/19 20:15:02 | 000,505,436 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\xvi32.zip

[2010/08/19 20:08:55 | 001,997,613 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\NPSWF32_20100213.zip

[2010/08/18 17:32:17 | 000,057,432 | ---- | M] () -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/08/18 17:29:07 | 000,235,960 | ---- | M] () -- C:\XP\System32\FNTCACHE.DAT

[2010/08/17 22:13:37 | 001,575,352 | -H-- | M] () -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\IconCache.db

[2010/08/12 21:36:09 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\SIUNANA\??\HijackThis.exe

[2010/08/09 22:12:00 | 000,000,299 | ---- | M] () -- C:\XP\system.ini

[2010/08/09 22:10:47 | 000,000,027 | ---- | M] () -- C:\XP\System32\drivers\etc\hosts.msn

[2010/08/09 22:10:47 | 000,000,027 | ---- | M] () -- C:\XP\System32\drivers\etc\hosts

[2010/08/08 18:07:24 | 000,979,366 | ---- | M] () -- C:\XP\System32\PerfStringBackup.INI

[2010/08/08 18:07:24 | 000,432,690 | ---- | M] () -- C:\XP\System32\perfh009.dat

[2010/08/08 18:07:24 | 000,315,958 | ---- | M] () -- C:\XP\System32\prfh0404.dat

[2010/08/08 18:07:24 | 000,144,120 | ---- | M] () -- C:\XP\System32\prfc0404.dat

[2010/08/08 18:07:24 | 000,067,646 | ---- | M] () -- C:\XP\System32\perfc009.dat

[2010/08/08 18:03:02 | 000,001,355 | ---- | M] () -- C:\XP\imsins.BAK

[2010/08/08 16:33:38 | 000,000,271 | RHS- | M] () -- C:\boot.ini

[2010/08/07 14:00:39 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\housecall.guid.cache

[2010/08/07 13:59:56 | 001,870,800 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\SIUNANA\??\HousecallLauncher.exe

[2010/08/06 23:32:31 | 100,129,178 | ---- | M] (Zombie Cow Studios ) -- C:\Documents and Settings\SIUNANA\??\privatesdownload.exe

[2010/08/02 20:11:14 | 000,128,582 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\grandma bday card.jpg

[2010/07/31 20:27:58 | 000,001,552 | ---- | M] () -- C:\XP\System32\cid_store.dat

[2010/07/31 19:49:02 | 000,000,026 | ---- | M] () -- C:\XP\System32\xlhcc.dat

[2010/07/31 11:15:13 | 000,095,232 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\stuff to buy.doc

[2010/07/31 11:15:12 | 000,139,392 | ---- | M] () -- C:\Documents and Settings\SIUNANA\??\stuff to buy.pdf

[2010/07/26 23:29:43 | 008,322,560 | ---- | M] (Microsoft Corporation) -- C:\XP\System32\dllcache\shell32.dll

========== Files Created - No Company Name ==========

[2010/08/25 17:43:10 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\RKUnhookerLE.EXE

[2010/08/24 19:50:55 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\All Users.XP\??\Malwarebytes' Anti-Malware.lnk

[2010/08/23 21:07:29 | 000,320,000 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\FDR MPS Auth Grid.xls

[2010/08/23 18:01:15 | 000,065,856 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\animal.jpg

[2010/08/21 16:24:01 | 000,597,802 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\IMG_0445.JPG

[2010/08/21 16:24:00 | 000,541,690 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\IMG_0444.JPG

[2010/08/21 16:23:58 | 000,516,887 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\IMG_0443.JPG

[2010/08/21 16:23:56 | 000,477,728 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\IMG_0442.JPG

[2010/08/21 16:23:55 | 000,493,263 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\IMG_0441.JPG

[2010/08/19 20:14:59 | 000,505,436 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\xvi32.zip

[2010/08/19 20:08:54 | 001,997,613 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\NPSWF32_20100213.zip

[2010/08/08 16:33:38 | 000,000,200 | ---- | C] () -- C:\Boot.bak

[2010/08/08 16:33:35 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/08/07 14:00:39 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\housecall.guid.cache

[2010/08/06 23:49:47 | 000,134,360 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/08/02 20:13:34 | 000,128,582 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\grandma bday card.jpg

[2010/07/31 11:13:01 | 000,095,232 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\stuff to buy.doc

[2010/07/31 10:43:33 | 000,139,392 | ---- | C] () -- C:\Documents and Settings\SIUNANA\??\stuff to buy.pdf

[2010/07/13 18:38:41 | 000,000,059 | ---- | C] () -- C:\Documents and Settings\SIUNANA\Application Data\default.pls

[2010/05/26 07:37:20 | 000,000,133 | ---- | C] () -- C:\XP\System32\Ku6Kss.ini

[2010/03/26 18:40:29 | 000,379,904 | ---- | C] () -- C:\XP\System32\vstudiotm.dll

[2010/02/21 21:18:16 | 000,001,190 | ---- | C] () -- C:\XP\System32\funshion.ini

[2010/01/19 09:11:28 | 000,001,350 | ---- | C] () -- C:\Documents and Settings\All Users.XP\Application Data\QTSBandwidthCache

[2009/12/03 19:54:42 | 000,000,069 | ---- | C] () -- C:\XP\NeroDigital.ini

[2009/11/13 20:22:43 | 000,001,746 | ---- | C] () -- C:\XP\Language_trs.ini

[2009/11/13 20:22:27 | 000,018,583 | ---- | C] () -- C:\XP\Ascd_tmp.ini

[2009/11/13 20:22:25 | 000,010,296 | ---- | C] () -- C:\XP\System32\drivers\ASUSHWIO.SYS

[2009/09/27 00:41:18 | 000,001,573 | ---- | C] () -- C:\XP\System32\Ku6Ksw.dll

[2009/07/20 14:53:06 | 000,029,752 | ---- | C] () -- C:\XP\System32\InstHelper.dll

[2009/07/20 14:41:59 | 000,197,680 | ---- | C] () -- C:\XP\System32\vpnapi.dll

[2009/07/20 14:41:57 | 000,193,584 | ---- | C] () -- C:\XP\System32\CSGina.dll

[2009/05/11 13:38:40 | 000,000,280 | ---- | C] () -- C:\XP\System32\epoPGPsdk.dll.sig

[2009/04/04 18:25:19 | 000,000,168 | ---- | C] () -- C:\XP\ConverterCore.INI

[2009/04/03 23:14:08 | 000,000,043 | ---- | C] () -- C:\XP\gswin32.ini

[2009/02/03 19:52:31 | 000,000,029 | ---- | C] () -- C:\XP\Index.ini

[2009/01/23 22:22:56 | 000,000,026 | ---- | C] () -- C:\XP\Dreye20.ini

[2009/01/23 22:21:00 | 000,080,896 | ---- | C] () -- C:\XP\System32\LDPLAY.DLL

[2009/01/23 22:21:00 | 000,024,576 | ---- | C] () -- C:\XP\System32\Voice.dll

[2009/01/23 22:20:58 | 000,040,960 | ---- | C] () -- C:\XP\System32\mttrans.dll

[2009/01/23 22:20:58 | 000,011,264 | ---- | C] () -- C:\XP\System32\Tran.dll

[2009/01/23 22:20:57 | 000,192,000 | ---- | C] () -- C:\XP\System32\MTDLL32.DLL

[2009/01/23 22:20:55 | 000,294,912 | ---- | C] () -- C:\XP\System32\DreyeSkinCtrls80U.dll

[2009/01/23 22:20:55 | 000,212,992 | ---- | C] () -- C:\XP\System32\drwss.dll

[2009/01/23 22:20:55 | 000,106,496 | ---- | C] () -- C:\XP\System32\AddToNote.dll

[2009/01/23 22:20:55 | 000,077,824 | ---- | C] () -- C:\XP\System32\DreyeDBW.dll

[2009/01/23 22:20:55 | 000,069,632 | ---- | C] () -- C:\XP\System32\DreyeDBU.dll

[2009/01/23 22:20:55 | 000,065,536 | ---- | C] () -- C:\XP\System32\ClientProc.dll

[2009/01/23 22:20:55 | 000,061,440 | ---- | C] () -- C:\XP\System32\Text32.dll

[2009/01/23 22:20:55 | 000,057,344 | ---- | C] () -- C:\XP\System32\DictInfo.dll

[2009/01/23 22:20:55 | 000,049,152 | ---- | C] () -- C:\XP\System32\DreyeMT.dll

[2009/01/23 22:20:55 | 000,032,768 | ---- | C] () -- C:\XP\System32\ITToolTip.dll

[2009/01/23 22:20:55 | 000,026,112 | ---- | C] () -- C:\XP\System32\LevelApi.dll

[2009/01/23 22:20:54 | 000,053,248 | ---- | C] () -- C:\XP\System32\exeProc.dll

[2009/01/08 19:32:07 | 000,087,552 | ---- | C] () -- C:\XP\System32\cpwmon2k.dll

[2009/01/04 13:13:47 | 000,106,496 | R--- | C] () -- C:\XP\System32\vshp1018.dll

[2008/12/30 08:37:02 | 000,024,832 | ---- | C] () -- C:\XP\System32\drivers\sncamd.sys

[2008/12/30 08:37:02 | 000,015,497 | ---- | C] () -- C:\XP\snp2std.ini

[2008/12/30 08:37:01 | 010,305,280 | ---- | C] () -- C:\XP\System32\drivers\snp2sxp.sys

[2008/12/26 10:31:35 | 000,856,064 | ---- | C] () -- C:\XP\System32\xvidcore.dll

[2008/12/26 10:31:34 | 003,596,288 | ---- | C] () -- C:\XP\System32\qt-dx331.dll

[2008/12/26 10:31:33 | 000,005,120 | ---- | C] () -- C:\XP\System32\ff_vfw.dll

[2008/12/26 10:31:33 | 000,000,547 | ---- | C] () -- C:\XP\System32\ff_vfw.dll.manifest

[2008/12/26 10:18:19 | 000,220,672 | ---- | C] () -- C:\Documents and Settings\SIUNANA\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/12/23 12:48:53 | 000,001,522 | ---- | C] () -- C:\XP\System32\MagicKBD.INI

[2008/12/23 12:48:53 | 000,001,520 | ---- | C] () -- C:\XP\System32\SIUNANA_KBD.ini

[2008/12/23 12:48:49 | 000,003,425 | ---- | C] () -- C:\XP\System32\KBDR.INI

[2008/12/23 12:48:49 | 000,002,741 | ---- | C] () -- C:\XP\System32\KBDD.INI

[2008/12/23 12:48:49 | 000,002,699 | ---- | C] () -- C:\XP\System32\KBDO.INI

[2008/12/23 12:48:49 | 000,002,699 | ---- | C] () -- C:\XP\System32\KBDC.INI

[2008/12/23 12:48:49 | 000,002,606 | ---- | C] () -- C:\XP\System32\KBDB.INI

[2008/12/23 12:48:49 | 000,002,236 | ---- | C] () -- C:\XP\System32\KBDQ.INI

[2008/12/23 12:48:49 | 000,001,956 | ---- | C] () -- C:\XP\System32\KBDE.INI

[2008/12/23 12:48:49 | 000,001,885 | ---- | C] () -- C:\XP\System32\KBDP.INI

[2008/12/23 12:48:49 | 000,001,857 | ---- | C] () -- C:\XP\System32\KBDUU.INI

[2008/12/23 12:48:49 | 000,001,835 | ---- | C] () -- C:\XP\System32\KBDG.INI

[2008/12/23 12:48:49 | 000,001,835 | ---- | C] () -- C:\XP\System32\KBDA.INI

[2008/12/23 12:48:49 | 000,001,834 | ---- | C] () -- C:\XP\System32\KBDU.INI

[2008/12/23 12:48:49 | 000,001,819 | ---- | C] () -- C:\XP\System32\KBDN.INI

[2008/12/23 12:48:49 | 000,001,699 | ---- | C] () -- C:\XP\System32\KBDT.INI

[2008/12/23 12:48:49 | 000,001,697 | ---- | C] () -- C:\XP\System32\KBDV.INI

[2008/12/23 12:48:49 | 000,001,522 | ---- | C] () -- C:\XP\System32\KBDS.INI

[2008/12/23 12:48:49 | 000,001,476 | ---- | C] () -- C:\XP\System32\KBDF.INI

[2008/12/23 12:48:00 | 000,004,300 | ---- | C] () -- C:\XP\System32\MEMIO.SYS

[2008/12/23 12:47:59 | 000,000,135 | R--- | C] () -- C:\XP\System32\lngEng.ini

[2008/12/23 12:47:59 | 000,000,117 | ---- | C] () -- C:\XP\System32\lngKor.ini

[2008/12/23 11:20:32 | 000,000,364 | ---- | C] () -- C:\XP\ODBC.INI

[2008/12/23 10:22:30 | 000,147,456 | ---- | C] () -- C:\XP\System32\igfxCoIn_v4969.dll

[2008/12/23 10:11:50 | 000,197,648 | ---- | C] () -- C:\XP\System32\drivers\StkCSF.sys

[2006/07/06 06:21:44 | 000,061,440 | ---- | C] () -- C:\XP\System32\AVSAudioWideStereoDMO.dll

[2006/07/06 06:21:42 | 000,081,920 | ---- | C] () -- C:\XP\System32\AVSAudioAmp.dll

[2005/02/17 13:41:32 | 000,000,603 | ---- | C] () -- C:\XP\System32\BTNeighborhood.dll.manifest

[2005/02/17 13:41:30 | 000,000,593 | ---- | C] () -- C:\XP\System32\btcss.dll.manifest

========== Files - Unicode (All) ==========

[2010/08/07 21:18:35 | 1861,521,939 | ---- | C] ()(C:\Documents and Settings\SIUNANA\??\????[72P??www.XunLei168.com????].rmvb) -- C:\Documents and Settings\SIUNANA\??\????[72P??www.XunLei168.com????].rmvb

[2010/05/26 07:37:20 | 000,000,000 | ---D | M](C:\Documents and Settings\SIUNANA\My Documents\?6??) -- C:\Documents and Settings\SIUNANA\My Documents\?6??

[2010/05/26 07:37:20 | 000,000,000 | ---D | C](C:\Documents and Settings\SIUNANA\My Documents\?6??) -- C:\Documents and Settings\SIUNANA\My Documents\?6??

[2010/04/20 18:03:27 | 000,000,000 | ---D | M](C:\Documents and Settings\SIUNANA\My Documents\????) -- C:\Documents and Settings\SIUNANA\My Documents\????

[2010/04/20 18:03:27 | 000,000,000 | ---D | C](C:\Documents and Settings\SIUNANA\My Documents\????) -- C:\Documents and Settings\SIUNANA\My Documents\????

[2010/04/04 19:57:12 | 1861,521,939 | ---- | M] ()(C:\Documents and Settings\SIUNANA\??\????[72P??www.XunLei168.com????].rmvb) -- C:\Documents and Settings\SIUNANA\??\????[72P??www.XunLei168.com????].rmvb

[2009/11/23 03:05:57 | 000,000,000 | ---D | M](C:\Documents and Settings\SIUNANA\?) -- C:\Documents and Settings\SIUNANA\?

[2009/08/28 14:59:08 | 000,000,000 | ---D | M](C:\Documents and Settings\SIUNANA\My Documents\?????) -- C:\Documents and Settings\SIUNANA\My Documents\?????

[2009/08/28 14:59:08 | 000,000,000 | ---D | C](C:\Documents and Settings\SIUNANA\My Documents\?????) -- C:\Documents and Settings\SIUNANA\My Documents\?????

(C:\Documents and Settings\SIUNANA\?) -- C:\Documents and Settings\SIUNANA\?

< End of report >

EXTRA OTL LOG

OTL Extras logfile created on: 2010/8/25 ?? 05:45:02 - Run 1

OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\SIUNANA\??

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000404 | Country: ?? | Language: CHT | Date Format: yyyy/M/d

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\XP | %ProgramFiles% = C:\Program Files

Drive C: | 80.88 Gb Total Space | 8.44 Gb Free Space | 10.44% Space Free | Partition Type: NTFS

Drive D: | 142.00 Gb Total Space | 94.56 Gb Free Space | 66.59% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NANA

Current User Name: SIUNANA

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Playback] -- "D:\Program Files\TTPlayer\TTPlayer.exe" "%1" (Alen Soft)

Directory [PlayList] -- "D:\Program Files\TTPlayer\TTPlayer.exe" /a "%1" (Alen Soft)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\XP\system32\dpvsetup.exe" = C:\XP\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)

"C:\Program Files\FlashGet\flashget.exe" = C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget -- (FlashGet.com)

"D:\Software\Thunder.v5.8.3.533.NoAD-Ayu\Thunder.v5.8.3.533.NoAD-Ayu\Program\Thunder5.exe" = D:\Software\Thunder.v5.8.3.533.NoAD-Ayu\Thunder.v5.8.3.533.NoAD-Ayu\Program\Thunder5.exe:*:Enabled:Thunder -- (Thunder Networking Technologies,LTD)

"C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe" = C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe:*:Enabled:Thunder -- (Thunder Networking Technologies,LTD)

"C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" = C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe:*:Enabled:VoipDiscount -- (VoipDiscount)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

"D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidHost.exe" = D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidHost.exe:*:Enabled:PDF Converter SDK -- (VoyagerSoft, LLC)

"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)

"C:\Program Files\nEO iMAGING\nEOiMAGING.exe" = C:\Program Files\nEO iMAGING\nEOiMAGING.exe:*:Enabled:????? -- (nEO Software)

"D:\Program Files\Tencent\QQ\Bin\QQ.exe" = D:\Program Files\Tencent\QQ\Bin\QQ.exe:*:Enabled:QQ2009 -- (Tencent)

"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{04010300-6D72-4D54-8686-91D884A27B5C}" = Cisco Clean Access Agent

"{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}" = ??QQ2009

"{090962E2-4BE8-4A8A-86B0-7A5ED31C1273}" = USB2.0 UVC WebCam

"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour

"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution III

"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager

"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer

"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live ????

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 17

"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1

"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}" = Samsung Magic Doctor

"{350C97B6-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise

"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale

"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform

"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime

"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{45C688DE-63BA-3756-839B-4AF3F209E21A}" = Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - CHT

"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7

"{62BD272C-8321-3177-912F-1134326A7187}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - CHT

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Samsung Battery Manager

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{75438C0E-9925-412E-AD85-D0E71C6CE2ED}" = USB2.0 PC Camera (SN9C201&202)

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support

"{86CE1746-9EFF-3C9C-8755-81EA8903AC34}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BC76CCE-A9EC-4A3A-9B51-D823805E1D1F}" = SolidConverterPDF

"{9EB3D421-CE81-3AC9-BFA8-354FA3D1DD60}" = Microsoft .NET Framework 3.5 Language Pack - cht

"{A12A275B-C9F3-0A54-9980-BC60A4861768}" = Yahoo! ????? 1.0 ??? (build 2251)

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor

"{ABB14904-A11B-4F42-996C-80FD608A0F17}" = Samsung EDS

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2

"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9

"{AC76BA86-7AD7-2448-0000-900000000003}" = Chinese Traditional Fonts Support For Adobe Reader 9

"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9

"{ADD0F6AB-BA68-494E-8719-0A2D89C2D231}" = Dr.eye 8.0 Pro Dict

"{AED53CDF-1046-4C6B-B5E2-C195125ECDA0}" = Intel® PROSet/Wireless WiFi ??

"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support

"{B7B3E9B3-FB14-4927-894B-E9124509AF5A}" = Adobe Flash Player 10 ActiveX

"{B8E9E624-9B2A-41DC-809C-CAA9D59DC0CE}" = User Speech Profile

"{BD723E53-A42C-4702-AA04-1D74A0311590}" = Magic Keyboard

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C1A6B23C-438E-4D08-B508-4E830CA8F335}" = IBM ViaVoice TTS Runtime v6.701 - US English

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype 4.2

"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database

"{E156350B-E9C9-49E9-AD7D-DE5E9101FB84}" = Dr.eye 8.0 Pro

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F282D708-D8A3-48B4-ACF3-77B3C33D0DE7}" = ???????? 2003

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"Adobe AIR" = Adobe AIR

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"Any Video Converter_is1" = Any Video Converter 2.7.9

"ATMA_is1" = ATMA 5.04c ?????

"Audacity_is1" = Audacity 1.2.6

"CutePDF Writer Installation" = CutePDF Writer 2.7

"FlashGet" = FlashGet 1.9.6.1073

"Google Desktop" = Google Desktop

"HDMI" = Intel® Graphics Media Accelerator Driver

"HP OrderReminder" = HP OrderReminder

"HP-LaserJet 1018" = LaserJet 1018

"ie8" = Windows Internet Explorer 8

"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 1.59

"Lingoes Translator_is1" = Lingoes 2.5.2

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5

"Microsoft .NET Framework 3.5 Language Pack - cht" = Microsoft .NET Framework 3.5 ???? - ????

"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)

"MSCSR" = Microsoft Speech Recognition Engine 4.0 (English)

"NVIDIA Drivers" = NVIDIA Drivers

"Picasa 3" = Picasa 3

"ProInst" = Intel PROSet Wireless

"The Typing of the Dead" = The Typing of the Dead

"thunder_is1" = ??5

"TTPlayer" = ???? 5.5.2

"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine

"ViewpointMediaPlayer" = Viewpoint Media Player

"Voice Recorder_is1" = Voice Recorder 1.0.1.39

"VoipDiscount_is1" = VoipDiscount

"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

"Windows Media Format Runtime" = Windows Media Format Runtime

"Windows????_is1" = Windows????

"WinLiveSuite_Wave3" = Windows Live Essentials

"WinRAR archiver" = WinRAR ????

"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

"YInstHelper" = Yahoo! Install Manager

"?????2V1.11???_is1" = ?????2V1.11???

"?????_is1" = ????? 1.2.0.2

"?????_is1" = ????? 3.1.1.58

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-329068152-117609710-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google ???

"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 2010/8/24 ?? 08:52:45 | Computer Name = NANA | Source = crypt32 | ID = 131080

Description = ? <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

????????????????????: A connection with the server could not be established

Error - 2010/8/24 ?? 08:52:46 | Computer Name = NANA | Source = crypt32 | ID = 131080

Description = ? <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

????????????????????: ??????????

Error - 2010/8/24 ?? 09:57:31 | Computer Name = NANA | Source = Application Error | ID = 1000

Description = ??????? chrome.exe??? 0.0.0.0?????? chrome.dll??? 5.0.375.127?????

0x0039c80d?

Error - 2010/8/24 ?? 11:28:26 | Computer Name = NANA | Source = Google Update | ID = 20

Description =

Error - 2010/8/24 ?? 11:39:49 | Computer Name = NANA | Source = McLogEvent | ID = 5051

Description = ?? C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe ???????

90000 ms ??????? ??????? ??? ID?2072 (0x818) ??????0x7C92E514 ?????? Build VSCORE.13.3.1.100

/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\Users\SIUNANA\My Documents\diablo2_214game.exe

by C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe 4(0)(0) 4(0)(0) 7200(0)(0)

7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 2010/8/24 ?? 11:39:50 | Computer Name = NANA | Source = McLogEvent | ID = 1008

Description = McShield ??????? ????? 5019 ? 5051 ???????? McShield ???? 5 ???????

Error - 2010/8/25 ?? 12:28:18 | Computer Name = NANA | Source = Google Update | ID = 20

Description =

Error - 2010/8/25 ?? 01:14:33 | Computer Name = NANA | Source = crypt32 | ID = 131080

Description = ? <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

????????????????????: A connection with the server could not be established

Error - 2010/8/25 ?? 01:14:33 | Computer Name = NANA | Source = crypt32 | ID = 131080

Description = ? <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

????????????????????: ??????????

Error - 2010/8/25 ?? 08:49:19 | Computer Name = NANA | Source = crypt32 | ID = 131080

Description = ? <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

????????????????????: A connection with the server could not be established

[ System Events ]

Error - 2010/8/25 ?? 12:51:29 | Computer Name = NANA | Source = Ftdisk | ID = 262193

Description = ??????????????????????????

Link to post
Share on other sites

There you go. Thanks for helping me!

I didn't restart my computer after I ran OTL and RKU. Let me know if I should do so.

The fake anti virus program prevented me from opening any program and browsing any website. What I did is press ctrl+alt+del right after the computer starts and before that program runs, so I can shut down the process from there. but I still cannot browse website.

The other problem is web redirecting(before my computer was attacked by fake anti virus program). Only web search were redirected at first, but it gets worse, any website will redirect itself.

Thanks again! <3 <3

RKU LOG

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xA6A55000 C:\XP\System32\Drivers\StkCPipe.sys 12935168 bytes (Syntek America Inc., Syntek USB 2.0 Video Pipeline Driver)

0xB9165000 C:\XP\system32\DRIVERS\igxpmp32.sys 6045696 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xA7AD8000 C:\XP\system32\drivers\RtkHDAud.sys 4968448 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xB8D8E000 C:\XP\system32\DRIVERS\NETw5x32.sys 3633152 bytes (Intel Corporation, Intel

Link to post
Share on other sites

Hello there,

Unfortunately you have a nasty rootkit on board. Before starting the cleaning process, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I'm not sure if you can read Chinese B)

If you need me to translate into English, let me know!

Thank you again Elise :)

ComboFix 10-08-27.02 - SIUNANA /08/27 ??? 18:33:18.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.3033.2466 [GMT -7:00]

????: c:\documents and settings\SIUNANA\??\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* ?????????

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.XP\Application Data\t

c:\documents and settings\NetworkService\Local Settings\Application Data\fecuxmyyc

c:\documents and settings\NetworkService\Local Settings\Application Data\hciwxjxvt

????? c:\xp\system32\drivers\rdpcdd.sys ??????

? - Kitty had a snack :) ??????

.

((((((((((((((((((((((((( 2010-07-28 ? 2010-08-28 ????? )))))))))))))))))))))))))))))))

.

2010-08-25 02:51 . 2010-08-25 02:51 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\Malwarebytes

2010-08-25 02:50 . 2010-04-29 22:39 38224 ----a-w- c:\xp\system32\drivers\mbamswissarmy.sys

2010-08-25 02:50 . 2010-08-25 02:50 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\Malwarebytes

2010-08-25 02:50 . 2010-04-29 22:39 20952 ----a-w- c:\xp\system32\drivers\mbam.sys

2010-08-25 02:50 . 2010-08-25 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-24 05:01 . 2010-08-24 05:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-18 04:25 . 2010-08-18 04:25 -------- d-----w- c:\documents and settings\SIUNANA\Local Settings\Application Data\Help

2010-08-09 00:36 . 2010-08-09 00:36 -------- d-----w- c:\xp\ie8updates

2010-08-07 23:25 . 2010-05-06 10:31 599040 -c----w- c:\xp\system32\dllcache\msfeeds.dll

2010-08-07 23:25 . 2010-05-06 10:31 55296 -c----w- c:\xp\system32\dllcache\msfeedsbs.dll

2010-08-07 23:24 . 2010-05-06 10:31 12800 -c----w- c:\xp\system32\dllcache\xpshims.dll

2010-08-07 23:24 . 2010-05-06 10:31 247808 -c----w- c:\xp\system32\dllcache\ieproxy.dll

2010-08-07 23:24 . 2010-05-06 10:31 743424 -c----w- c:\xp\system32\dllcache\iedvtool.dll

2010-08-07 23:24 . 2010-05-06 10:31 1985536 -c----w- c:\xp\system32\dllcache\iertutil.dll

2010-08-07 23:24 . 2010-05-06 10:31 11076096 -c----w- c:\xp\system32\dllcache\ieframe.dll

2010-08-07 06:53 . 2010-08-07 06:53 -------- d-----w- c:\program files\Microsoft XNA

2010-08-07 06:52 . 2006-06-29 20:07 14048 ------w- c:\xp\system32\spmsg2.dll

2010-08-07 06:49 . 2010-08-07 06:49 134360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-08-07 06:48 . 2010-08-07 06:51 -------- d-----w- c:\xp\system32\XPSViewer

2010-08-02 05:43 . 2010-08-02 05:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-08-01 18:22 . 2010-08-01 18:25 -------- d-----w- c:\documents and settings\SIUNANA\.gconfd

2010-08-01 18:22 . 2010-08-01 18:22 -------- d-----w- c:\documents and settings\SIUNANA\.gnome2_private

2010-08-01 18:22 . 2010-08-01 18:22 -------- d-----w- c:\documents and settings\SIUNANA\.gnome2

2010-08-01 18:22 . 2010-08-01 18:22 -------- d-----w- c:\documents and settings\SIUNANA\.gconf

2010-08-01 18:22 . 2010-08-01 18:24 -------- d-----w- c:\documents and settings\SIUNANA\.gnucash

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-25 03:01 . 2009-10-11 12:26 -------- d-----w- c:\program files\OutlookExpress

2010-08-24 05:16 . 2008-12-26 17:27 188152 ----a-w- c:\documents and settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\FlashGot.exe

2010-08-24 04:40 . 2009-04-06 18:06 -------- d-----w- c:\xp\system32\config\systemprofile\Application Data\SolidDocuments

2010-08-24 04:22 . 2009-04-05 01:13 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\SolidDocuments

2010-08-24 00:54 . 2009-01-25 19:07 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\Yahoo! KeyKey

2010-08-19 00:32 . 2008-12-23 19:53 57432 ----a-w- c:\documents and settings\SIUNANA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-09 01:07 . 2004-08-04 20:00 315958 ----a-w- c:\xp\system32\prfh0404.dat

2010-08-09 01:07 . 2004-08-04 20:00 144120 ----a-w- c:\xp\system32\prfc0404.dat

2010-08-01 03:27 . 2008-12-24 18:22 1552 ----a-w- c:\xp\system32\cid_store.dat

2010-08-01 02:49 . 2008-12-24 18:22 26 ----a-w- c:\xp\system32\xlhcc.dat

2010-08-01 02:48 . 2008-12-26 17:25 -------- d-----w- c:\program files\FlashGet

2010-07-14 03:06 . 2010-03-20 01:42 36 ---ha-w- c:\xp\system32\f9t.dat

2010-07-13 00:57 . 2010-07-13 00:49 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\Apple Computer

2010-07-13 00:49 . 2010-07-13 00:48 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-13 00:48 . 2010-07-13 00:48 -------- d-----w- c:\program files\iPod

2010-07-13 00:48 . 2010-07-13 00:43 -------- d-----w- c:\program files\Common Files\Apple

2010-07-13 00:48 . 2008-12-26 17:31 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\Apple Computer

2010-07-13 00:44 . 2010-07-13 00:44 -------- d-----w- c:\program files\Apple Software Update

2010-07-13 00:43 . 2010-07-13 00:43 -------- d-----w- c:\program files\Bonjour

2010-07-13 00:43 . 2010-07-13 00:43 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\Apple

2010-07-06 06:14 . 2009-06-22 03:32 -------- d-----w- c:\program files\nEO iMAGING

2010-07-05 05:43 . 2009-01-13 22:26 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\U3

2010-06-16 03:01 . 2010-06-16 03:01 72504 ----a-w- c:\documents and settings\All Users.XP\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-14 14:31 . 2008-12-23 16:59 744448 ----a-w- c:\xp\pchealth\helpctr\binaries\helpsvc.exe

2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\xp\system32\GPhotos.scr

2010-06-23 03:01 . 2009-07-09 06:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2008-12-18 08:43 . 2008-12-27 16:37 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2008-12-18 08:43 . 2008-12-27 16:37 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\xp\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\xp\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\xp\system32\drivers\tcpip.sys

[-] 2008-04-14 . 607C976B22AEB2FCF8A7486BCCA1E3BF . 361344 . . [5.1.2600.5512] . . c:\xp\$NtUninstallKB951748$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Ku6KssService]

@="{1CE908E9-4E19-4A42-9E8F-5BBFB1080E9B}"

[HKEY_CLASSES_ROOT\CLSID\{1CE908E9-4E19-4A42-9E8F-5BBFB1080E9B}]

2009-09-27 07:41 308840 ----a-w- c:\xp\system32\Ku6Kss.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\SIUNANA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-05 133104]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-25 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\xp\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-10 1191936]

"Persistence"="c:\xp\system32\igfxpers.exe" [2008-12-23 150040]

"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 16862720]

"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-07 2772992]

"tsnp2std"="c:\xp\tsnp2std.exe" [2006-05-22 262144]

"snp2std"="c:\xp\vsnp2std.exe" [2006-05-15 675840]

"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE" [2003-07-14 95296]

"KeyKeyServer"="d:\program files\Yahoo!\KeyKey\KeyKeyServer.exe" [2009-08-17 2539520]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-23 30192]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2010-03-19 421888]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\xp\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.XP\???????\???\??\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-7-20 1528880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\XP\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"d:\\Software\\Thunder.v5.8.3.533.NoAD-Ayu\\Thunder.v5.8.3.533.NoAD-Ayu\\Program\\Thunder5.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

"c:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Program Files\\SolidDocuments\\SolidConverterPDF\\SCPDF\\SolidHost.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\nEO iMAGING\\nEOiMAGING.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

R2 DOSMEMIO;MEMIO;c:\xp\system32\MEMIO.SYS [2008/12/23 ?? 12:48 4300]

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\xp\system32\StkCSrv.exe [2008/12/23 ?? 10:11 31248]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009/1/25 ?? 12:03 24652]

R3 Alidevice;Alidevice;c:\xp\system32\drivers\alidevice.sys [2010/2/6 ?? 11:45 6656]

R3 DNSeFilter;DNSeFilter;c:\xp\system32\drivers\SamsungEDS.SYS [2008/1/14 ?? 04:01 30208]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\xp\system32\drivers\IntcHdmi.sys [2008/12/23 ?? 10:22 110080]

R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\xp\system32\drivers\StkCMini.sys [2008/12/23 ?? 10:11 1363088]

S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009/7/8 ?? 11:32 30192]

.

Link to post
Share on other sites

Hi, no problem, I know whats supposed to be there. :P

Please let me know how things run after the following fix.

CF-SCRIPT

-------------

Open notepad and copy/paste the text in the quotebox below into it:

<http://forums.malwarebytes.org/index.php?showtopic=61245&view=findpost&p=305872>

FCopy::
c:\xp\system32\dllcache\tcpip.sys | c:\xp\system32\drivers\tcpip.sys

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Collect::
c:\xp\Tasks\e69ac.job
c:\xp\Downlo~1\e69ac.dll
c:\xp\Tasks\e69b.job
c:\xp\Downlo~1\e69b.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

This is the new Combo Fix Log after I drag CFScript.txt to Combo Fix

How do I know if my computer is clean? I don't want to surf the net now to avoid getting more malware.

Thanks Elise <3

ComboFix 10-08-27.03 - SIUNANA /08/28 ??? 16:06:55.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.3033.2532 [GMT -7:00]

????: c:\documents and settings\SIUNANA\??\ComboFix.exe

Command switches used :: c:\documents and settings\SIUNANA\??\CFScript.txt

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\xp\system32\dllcache\tcpip.sys --> c:\xp\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((( 2010-07-28 ? 2010-08-28 ????? )))))))))))))))))))))))))))))))

.

2010-08-25 02:51 . 2010-08-25 02:51 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\Malwarebytes

2010-08-25 02:50 . 2010-04-29 22:39 38224 ----a-w- c:\xp\system32\drivers\mbamswissarmy.sys

2010-08-25 02:50 . 2010-08-25 02:50 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\Malwarebytes

2010-08-25 02:50 . 2010-04-29 22:39 20952 ----a-w- c:\xp\system32\drivers\mbam.sys

2010-08-25 02:50 . 2010-08-25 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-24 05:01 . 2010-08-24 05:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-18 04:25 . 2010-08-18 04:25 -------- d-----w- c:\documents and settings\SIUNANA\Local Settings\Application Data\Help

2010-08-09 00:36 . 2010-08-09 00:36 -------- d-----w- c:\xp\ie8updates

2010-08-07 23:25 . 2010-05-06 10:31 599040 -c----w- c:\xp\system32\dllcache\msfeeds.dll

2010-08-07 23:25 . 2010-05-06 10:31 55296 -c----w- c:\xp\system32\dllcache\msfeedsbs.dll

2010-08-07 23:24 . 2010-05-06 10:31 12800 -c----w- c:\xp\system32\dllcache\xpshims.dll

2010-08-07 23:24 . 2010-05-06 10:31 247808 -c----w- c:\xp\system32\dllcache\ieproxy.dll

2010-08-07 23:24 . 2010-05-06 10:31 743424 -c----w- c:\xp\system32\dllcache\iedvtool.dll

2010-08-07 23:24 . 2010-05-06 10:31 1985536 -c----w- c:\xp\system32\dllcache\iertutil.dll

2010-08-07 23:24 . 2010-05-06 10:31 11076096 -c----w- c:\xp\system32\dllcache\ieframe.dll

2010-08-07 06:53 . 2010-08-07 06:53 -------- d-----w- c:\program files\Microsoft XNA

2010-08-07 06:52 . 2006-06-29 20:07 14048 ------w- c:\xp\system32\spmsg2.dll

2010-08-07 06:49 . 2010-08-07 06:49 134360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-08-07 06:48 . 2010-08-07 06:51 -------- d-----w- c:\xp\system32\XPSViewer

2010-08-02 05:43 . 2010-08-02 05:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-08-01 18:22 . 2010-08-01 18:25 -------- d-----w- c:\documents and settings\SIUNANA\.gconfd

2010-08-01 18:22 . 2010-08-01 18:22 -------- d-----w- c:\documents and settings\SIUNANA\.gnome2_private

2010-08-01 18:22 . 2010-08-01 18:22 -------- d-----w- c:\documents and settings\SIUNANA\.gnome2

2010-08-01 18:22 . 2010-08-01 18:22 -------- d-----w- c:\documents and settings\SIUNANA\.gconf

2010-08-01 18:22 . 2010-08-01 18:24 -------- d-----w- c:\documents and settings\SIUNANA\.gnucash

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-25 03:01 . 2009-10-11 12:26 -------- d-----w- c:\program files\OutlookExpress

2010-08-24 05:16 . 2008-12-26 17:27 188152 ----a-w- c:\documents and settings\SIUNANA\Application Data\Mozilla\Firefox\Profiles\nm7akyds.default\FlashGot.exe

2010-08-24 04:40 . 2009-04-06 18:06 -------- d-----w- c:\xp\system32\config\systemprofile\Application Data\SolidDocuments

2010-08-24 04:22 . 2009-04-05 01:13 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\SolidDocuments

2010-08-24 00:54 . 2009-01-25 19:07 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\Yahoo! KeyKey

2010-08-19 00:32 . 2008-12-23 19:53 57432 ----a-w- c:\documents and settings\SIUNANA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-09 01:07 . 2004-08-04 20:00 315958 ----a-w- c:\xp\system32\prfh0404.dat

2010-08-09 01:07 . 2004-08-04 20:00 144120 ----a-w- c:\xp\system32\prfc0404.dat

2010-08-01 03:27 . 2008-12-24 18:22 1552 ----a-w- c:\xp\system32\cid_store.dat

2010-08-01 02:49 . 2008-12-24 18:22 26 ----a-w- c:\xp\system32\xlhcc.dat

2010-08-01 02:48 . 2008-12-26 17:25 -------- d-----w- c:\program files\FlashGet

2010-07-14 03:06 . 2010-03-20 01:42 36 ---ha-w- c:\xp\system32\f9t.dat

2010-07-13 00:57 . 2010-07-13 00:49 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\Apple Computer

2010-07-13 00:49 . 2010-07-13 00:48 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-13 00:48 . 2010-07-13 00:48 -------- d-----w- c:\program files\iPod

2010-07-13 00:48 . 2010-07-13 00:43 -------- d-----w- c:\program files\Common Files\Apple

2010-07-13 00:48 . 2008-12-26 17:31 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\Apple Computer

2010-07-13 00:44 . 2010-07-13 00:44 -------- d-----w- c:\program files\Apple Software Update

2010-07-13 00:43 . 2010-07-13 00:43 -------- d-----w- c:\program files\Bonjour

2010-07-13 00:43 . 2010-07-13 00:43 -------- d-----w- c:\documents and settings\All Users.XP\Application Data\Apple

2010-07-06 06:14 . 2009-06-22 03:32 -------- d-----w- c:\program files\nEO iMAGING

2010-07-05 05:43 . 2009-01-13 22:26 -------- d-----w- c:\documents and settings\SIUNANA\Application Data\U3

2010-06-16 03:01 . 2010-06-16 03:01 72504 ----a-w- c:\documents and settings\All Users.XP\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-14 14:31 . 2008-12-23 16:59 744448 ----a-w- c:\xp\pchealth\helpctr\binaries\helpsvc.exe

2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\xp\system32\GPhotos.scr

2010-06-23 03:01 . 2009-07-09 06:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2008-12-18 08:43 . 2008-12-27 16:37 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2008-12-18 08:43 . 2008-12-27 16:37 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Ku6KssService]

@="{1CE908E9-4E19-4A42-9E8F-5BBFB1080E9B}"

[HKEY_CLASSES_ROOT\CLSID\{1CE908E9-4E19-4A42-9E8F-5BBFB1080E9B}]

2009-09-27 07:41 308840 ----a-w- c:\xp\system32\Ku6Kss.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\SIUNANA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-05 133104]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-25 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\xp\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-10 1191936]

"Persistence"="c:\xp\system32\igfxpers.exe" [2008-12-23 150040]

"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 16862720]

"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-07 2772992]

"tsnp2std"="c:\xp\tsnp2std.exe" [2006-05-22 262144]

"snp2std"="c:\xp\vsnp2std.exe" [2006-05-15 675840]

"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE" [2003-07-14 95296]

"KeyKeyServer"="d:\program files\Yahoo!\KeyKey\KeyKeyServer.exe" [2009-08-17 2539520]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-23 30192]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2010-03-19 421888]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\xp\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.XP\???????\???\??\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-7-20 1528880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\XP\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"d:\\Software\\Thunder.v5.8.3.533.NoAD-Ayu\\Thunder.v5.8.3.533.NoAD-Ayu\\Program\\Thunder5.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

"c:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Program Files\\SolidDocuments\\SolidConverterPDF\\SCPDF\\SolidHost.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\nEO iMAGING\\nEOiMAGING.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

R2 DOSMEMIO;MEMIO;c:\xp\system32\MEMIO.SYS [2008/12/23 ?? 12:48 4300]

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\xp\system32\StkCSrv.exe [2008/12/23 ?? 10:11 31248]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009/1/25 ?? 12:03 24652]

R3 Alidevice;Alidevice;c:\xp\system32\drivers\alidevice.sys [2010/2/6 ?? 11:45 6656]

R3 DNSeFilter;DNSeFilter;c:\xp\system32\drivers\SamsungEDS.SYS [2008/1/14 ?? 04:01 30208]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\xp\system32\drivers\IntcHdmi.sys [2008/12/23 ?? 10:22 110080]

R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\xp\system32\drivers\StkCMini.sys [2008/12/23 ?? 10:11 1363088]

S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009/7/8 ?? 11:32 30192]

.

Link to post
Share on other sites

The Fake antivirus program is gone. But web searches are still redirected.

This is the new RKU report

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xA6A1C000 C:\XP\System32\Drivers\StkCPipe.sys 12935168 bytes (Syntek America Inc., Syntek USB 2.0 Video Pipeline Driver)

0xB912C000 C:\XP\system32\DRIVERS\igxpmp32.sys 6045696 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xA7A9F000 C:\XP\system32\drivers\RtkHDAud.sys 4968448 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xB8D55000 C:\XP\system32\DRIVERS\NETw5x32.sys 3633152 bytes (Intel Corporation, Intel

Link to post
Share on other sites

Lets make absolutely sure the rootkit is gone.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Are both Internet Explorer and Firefox redirecting? If only firefox, then try to disable all your add-ons one by one and see which one causes the problem.

At this point the backdoor thread is gone fortunately, I wanted to doublecheck with TDSSkiller since there is a new variant and better safe than sorry. :P

Link to post
Share on other sites

I tested with couple search links in IE, so far so good. But Google Chrome is still redirecting/ open a new advertising tab. (Even when I clicked reply here)

Is this the browser problem? Redirect happens most of the time, but not every time. When it happens, I just go back to the search and click the link again.

*Common Port Result* Passed

----------------------------------------------------------------------

Your system has achieved a perfect "TruStealth" rating. Not a single packet

Link to post
Share on other sites

How did you reset your router and what router do you have?

Please click Start > Run, type cmd and press enter.

Type ipconfig /flushdns and press enter. Let me know how your internet is behaving afterwards.

I'm using Netgear Wireless N300 router.

I'm not sure how to reset it from 192.168.1.1 (I couldn't find the reboot button)

So I just unplug the modem and router.

I'm still getting the redirecting problem. Is this a virus problem or my browser's problem or router's problem?

I'm sorry for bothering you for so long. Thanks Elise for your help!

Link to post
Share on other sites

Hi, according to the manual I found for your router model, on the backside, you have a small button that can be punched to reset the router. Its located under the power on/off button and above the LAN connectors.

You have to keep it pushed for approx. 5 seconds in order to reset the router to factory default.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.