Jump to content

Help with adware deletion


hkw

Recommended Posts

followings are the posts recently posted on General Malwarebytes' Anti-Malware Forum :

There is frequent occurrence of harmful or infected files/folders detected in System Volume Information by Avira AntiVir Premium from time and time. Is there any means to avoid this occurrence or how can I deal with this from now on.

daledoc1 : It sounds as if you have some malware remnants in your computer's restore points.

You can just turn off System Restore, which will wipe out all your restore points.

Then scan again with fully updated versions of MBAM and Avira. You can turn System Restore back on after that.

daledoc 1 :If the positive malware detections are ONLY in those old restore points, then temporarily disabling System Restore should eliminate them. This does not delete your files and folders. Then, update your AV and MBAM and scan with both programs. If you are clean, then it is OK to enable system restore again.

I have sytem restore closed as recommended and performed complete system scan by Avira Antivir Premium and MBAM. I removed all trojans and adwares detected thereafter. There is one file left after detection by your MBAM which cannot be removed. The file details are :

File: C:\Documents & Settings\funshion\historytorrent\十三刺客.MP4.fsp

Detected as Adware funshion

I tried to remove it from Quarantine and it still exists after exit & reclick on MBAM icon again.

The file still exists on quarantine page even with its removal & system reboot.

daledoc1 :It appears you have some lingering malware remnants on your system.

Alas, we cannot work on malware detection/removal in this part of the General MBAM forum.

You need to start a topic in the Malware Removal forum so that a qualified helper can help you fix any malware related problems/infections you may have.

Hope experienced expert can suggest / recommend solution for the problem and thanks for the kind assistance!

Link to post
Share on other sites

Hi, screen317, thanks a lot for your kind assistance!

MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

資料庫版本: 7628

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2011/9/1 下午 06:22:39

mbam-log-2011-09-01 (18-22-39).txt

掃描類型: 快速掃描

被掃描物件數量: 192722

總共掃描時間: 16 分鐘, 12 秒

被感染記憶體進程數量: 0

被感染記憶體模組數量: 0

被感染註冊表項目數量: 2

被感染註冊表值數量: 0

被感染註冊表資料項目數量: 0

被感染資料夾數量: 0

被感染檔案數量: 0

1) Trojan.BHO Registry Key HKEY_CLASSES_ROOT\Typelib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}

No action taken

2) Trojan.BHO Registry Key HKEY_Classes_ROOT\Interface\{71DD8FD0-9176-41BE-B0D7-EFAD33DF88E6}

no action taken

The 2 items detected were completely removed by MBAM.

Link to post
Share on other sites

DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by david at 18:50:51 on 2011-09-01

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1024.383 [GMT 8:00]

.

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

FW: ZoneAlarm Pro Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\RunDll32.exe

C:\WINDOWS\system32\zstatus.exe

C:\Program Files\USB Disk Security\USBGuard.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Real\RealPlayer\update\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AntiLogger\AntiLogger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\conime.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://hk.yahoo.com/

uURLSearchHooks: H - No File

BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\comdlls\TDMediaDetector5.9.28.1564.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\tools\bitcometbho.dll

BHO: Thunder Browser Helper: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\comdlls\xunleiBHO_Now.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync

mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

mRun: [hp 1000 firmware] c:\program files\hp laserjet 1000\fwdl.exe

mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start

mRun: [uSBAntivirus.exe] c:\program files\usbantivirus\USBAntivirus.exe -Hide

mRun: [uSB Security] c:\program files\usb disk security\USBGuard.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe

IE: &使用BitComet下載 - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\BitComet.exe/AddLink.htm

IE: &使用BitComet下載全部連結 - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\BitComet.exe/AddAllLink.htm

IE: 使用迅雷下載 - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\program\geturl.htm

IE: 使用迅雷下載全部連結 - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\program\getallurl.htm

IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\tools\bitcometbho.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\avira\antivir desktop\avsda.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.8.1

TCP: Interfaces\{3013B48B-7844-41DB-9F61-511F896B9628} : DhcpNameServer = 192.168.8.1

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File

.

============= SERVICES / DRIVERS ===============

.

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2011-7-14 121560]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-9 11608]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-8-24 528128]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2011-2-9 340136]

R2 AntiVirSchedulerService;Avira AntiVir 排程管理員;c:\program files\avira\antivir desktop\sched.exe [2011-2-9 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-9 269480]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-2-9 428200]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-9 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-6 366640]

R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-29 275968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-6 22712]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\david\桌面\superantispyware\sasdifsv.sys --> c:\documents and settings\david\桌面\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\david\桌面\superantispyware\saskutil.sys --> c:\documents and settings\david\桌面\superantispyware\SASKUTIL.SYS [?]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 cpuz132;cpuz132;\??\c:\docume~1\david\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\david\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-1-6 41272]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-25 27064]

.

=============== Created Last 30 ================

.

2011-08-27 08:19:19 892928 ----a-w- c:\windows\system32\iconv.dll

2011-08-27 08:19:19 675840 ----a-w- c:\windows\system32\ac3filter.ax

2011-08-27 08:19:19 496640 ----a-w- c:\windows\system32\xvid.ax

2011-08-27 08:19:02 -------- d-----w- c:\program files\Aimersoft

2011-08-23 23:08:24 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-08-23 23:08:23 -------- d-----w- c:\windows\system32\ZoneLabs

2011-08-23 23:08:18 -------- d-----w- c:\program files\Zone Labs

2011-08-23 22:57:56 -------- d-----w- c:\windows\Internet Logs

2011-08-21 10:30:14 -------- d-----w- c:\program files\LG Software Innovations

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin6.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin5.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin4.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin3.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin2.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin.dll

2011-08-19 00:45:21 -------- d-----w- c:\documents and settings\david\local settings\application data\Modiac

2011-08-19 00:45:21 -------- d-----w- c:\documents and settings\david\application data\Modiac

2011-08-18 16:24:14 -------- d-----w- c:\program files\DVDFab 8 Qt

2011-08-16 06:29:26 -------- d-----w- c:\program files\SlySoft

2011-08-16 02:56:23 -------- dc-h--w- c:\documents and settings\all users\application data\{39448D14-6F91-434E-9F7F-270990A869D3}

2011-08-16 02:56:17 -------- d-----w- c:\program files\AntiLogger

2011-08-14 09:11:01 102439 ----a-w- c:\windows\sipr3260.dll

2011-08-14 09:09:18 102439 ----a-w- c:\windows\system32\sipr3260.dll

2011-08-14 09:09:04 65536 ----a-w- c:\windows\system32\cook.dll

2011-08-14 09:09:04 217127 ----a-w- c:\windows\system32\drv43260.dll

2011-08-14 09:09:04 208935 ----a-w- c:\windows\system32\drv33260.dll

2011-08-13 14:12:12 -------- d-----w- c:\documents and settings\david\application data\SUPERAntiSpyware.com

2011-08-13 14:12:12 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-08-12 13:46:09 232448 ----a-w- c:\windows\system32\mp3fhg.acm

2011-08-12 13:46:03 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-08-12 13:46:02 151552 ----a-w- c:\windows\system32\is-L0CTE.tmp

2011-08-12 13:46:01 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-08-12 13:46:01 243200 ----a-w- c:\windows\system32\xvidvfw.dll

2011-08-12 13:46:01 237568 ----a-w- c:\windows\system32\yv12vfw.dll

2011-08-12 13:45:53 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-08-12 13:45:29 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-08-12 13:38:55 -------- d-----w- c:\program files\Combined Community Codec Pack

2011-08-08 17:03:37 -------- d-----w- c:\documents and settings\david\Downloads

2011-08-08 05:00:20 -------- d-----w- c:\program files\iPod

2011-08-08 05:00:15 -------- d-----w- c:\program files\iTunes

2011-08-08 04:57:48 -------- d-----w- c:\program files\Bonjour

2011-08-03 04:52:36 -------- d-----w- c:\program files\common files\xing shared

2011-08-03 04:51:44 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-08-03 04:51:44 348160 ----a-w- c:\windows\system32\msvcr71.dll

.

==================== Find3M ====================

.

2011-08-30 14:25:26 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-12 13:25:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-28 10:27:08 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 03:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 03:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 11:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 11:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 10:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 10:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-30 11:36:47 143361 ----a-w- c:\windows\system32\DartFtpServer.dll

2011-06-30 11:36:47 118785 ----a-w- c:\windows\system32\DartWeb.dll

2011-06-30 11:36:46 98305 ----a-w- c:\windows\system32\DartServer.dll

2011-06-30 11:36:46 94209 ----a-w- c:\windows\system32\DartFtpUtil.dll

2011-06-30 11:36:46 221185 ----a-w- c:\windows\system32\DartSock.dll

2011-06-30 02:19:43 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-06-30 02:19:43 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:30:26 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:30:24 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:30:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 07:27:48 82944 ----a-w- c:\windows\ST6UNST.EXE

2011-06-22 07:26:47 127489 ----a-w- c:\windows\system32\Re_mail.Dll

2011-06-20 17:44:44 330240 ----a-w- c:\windows\system32\winsrv.dll

2011-06-06 11:35:21 1858560 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 18:51:59.56 ===============

Link to post
Share on other sites

ComboFix log :

ComboFix 11-09-08.03 - david /09/09 星期五 8:26.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1024.389 [GMT 8:00]

執行位置: c:\documents and settings\david\桌面\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* 成功創造新還原點

.

.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\david\Application Data\inst.exe

c:\documents and settings\david\Application Data\Local

c:\documents and settings\david\Application Data\PriceGong

c:\windows\msmqinst.log

c:\windows\sipr3260.dll

c:\windows\system32\spool\prtprocs\w32x86\pcldll6l.dll

c:\windows\system32\spool\prtprocs\w32x86\zpp.dll

c:\windows\system32\TZLog.log

.

.

((((((((((((((((((((((((( 2011-08-09 至 2011-09-09 的新的檔案 )))))))))))))))))))))))))))))))

.

.

2011-09-09 00:16 . 2011-09-09 00:17 -------- d-----w- C:\32788R22FWJFW

2011-09-06 22:45 . 2011-09-06 23:46 -------- d-----w- c:\documents and settings\david\Application Data\Software Informer

2011-09-01 00:24 . 2011-09-01 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-08-27 08:19 . 2011-08-18 01:27 892928 ----a-w- c:\windows\system32\iconv.dll

2011-08-27 08:19 . 2011-08-18 01:27 675840 ----a-w- c:\windows\system32\ac3filter.ax

2011-08-27 08:19 . 2011-08-18 01:27 496640 ----a-w- c:\windows\system32\xvid.ax

2011-08-27 08:19 . 2011-08-27 08:25 -------- d-----w- c:\program files\Aimersoft

2011-08-23 23:08 . 2010-07-20 13:22 69120 ----a-w- c:\windows\system32\zlcomm.dll

2011-08-23 23:08 . 2010-07-20 13:22 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2011-08-23 23:08 . 2010-07-20 13:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-08-23 23:08 . 2011-08-23 23:08 -------- d-----w- c:\windows\system32\ZoneLabs

2011-08-23 23:08 . 2011-08-23 23:08 -------- d-----w- c:\program files\Zone Labs

2011-08-23 22:57 . 2011-09-09 00:11 -------- d-----w- c:\windows\Internet Logs

2011-08-21 10:30 . 2011-08-21 10:30 -------- d-----w- c:\program files\LG Software Innovations

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin6.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin5.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin4.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin3.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin2.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin.dll

2011-08-20 17:09 . 2011-08-20 17:10 -------- d-----w- c:\program files\QuickTime

2011-08-19 00:45 . 2011-08-19 00:45 -------- d-----w- c:\documents and settings\david\Application Data\Modiac

2011-08-19 00:45 . 2011-08-19 00:45 -------- d-----w- c:\documents and settings\david\Local Settings\Application Data\Modiac

2011-08-18 16:24 . 2011-08-18 16:24 -------- d-----w- c:\program files\DVDFab 8 Qt

2011-08-16 06:29 . 2011-08-16 06:29 -------- d-----w- c:\program files\SlySoft

2011-08-16 02:56 . 2011-08-16 02:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{39448D14-6F91-434E-9F7F-270990A869D3}

2011-08-16 02:56 . 2011-08-16 02:56 -------- d-----w- c:\program files\AntiLogger

2011-08-14 09:09 . 2002-12-09 19:20 102439 ----a-w- c:\windows\system32\sipr3260.dll

2011-08-14 09:09 . 2007-04-04 18:11 65536 ----a-w- c:\windows\system32\cook.dll

2011-08-14 09:09 . 2002-12-09 19:27 217127 ----a-w- c:\windows\system32\drv43260.dll

2011-08-14 09:09 . 2002-12-09 19:24 208935 ----a-w- c:\windows\system32\drv33260.dll

2011-08-13 14:12 . 2011-08-13 14:12 -------- d-----w- c:\documents and settings\david\Application Data\SUPERAntiSpyware.com

2011-08-13 14:12 . 2011-08-13 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-08-12 13:46 . 2006-10-18 18:05 232448 ----a-w- c:\windows\system32\mp3fhg.acm

2011-08-12 13:46 . 2011-07-16 14:17 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-08-12 13:46 . 2011-07-16 14:17 151552 ----a-w- c:\windows\system32\is-L0CTE.tmp

2011-08-12 13:46 . 2011-06-24 14:44 243200 ----a-w- c:\windows\system32\xvidvfw.dll

2011-08-12 13:46 . 2011-06-24 14:28 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-08-12 13:46 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll

2011-08-12 13:45 . 2011-08-08 08:00 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-08-12 13:45 . 2011-08-12 13:46 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-08-12 13:38 . 2011-08-12 13:39 -------- d-----w- c:\program files\Combined Community Codec Pack

.

.

.

(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-03 10:17 . 2008-04-15 12:00 591872 ----a-w- c:\windows\system32\crypt32.dll

2011-08-30 14:25 . 2011-02-09 15:57 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-30 14:25 . 2011-02-09 15:57 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-12 13:25 . 2011-06-13 03:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-03 04:51 . 2011-08-03 04:51 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-08-03 04:51 . 2011-08-03 04:51 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-07-28 10:27 . 2011-07-28 10:27 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2011-07-15 13:29 . 2008-04-15 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 03:20 . 2011-07-12 03:20 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 03:20 . 2011-07-12 03:20 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-08 14:02 . 2008-04-15 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 11:52 . 2011-01-06 07:15 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 11:52 . 2011-01-06 07:15 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 10:37 . 2011-07-05 10:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 10:37 . 2011-07-05 10:37 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-30 11:36 . 2011-06-22 07:26 143361 ----a-w- c:\windows\system32\DartFtpServer.dll

2011-06-30 11:36 . 2011-06-22 07:26 118785 ----a-w- c:\windows\system32\DartWeb.dll

2011-06-30 11:36 . 2011-06-22 07:26 98305 ----a-w- c:\windows\system32\DartServer.dll

2011-06-30 11:36 . 2011-06-22 07:26 94209 ----a-w- c:\windows\system32\DartFtpUtil.dll

2011-06-30 11:36 . 2011-06-22 07:26 221185 ----a-w- c:\windows\system32\DartSock.dll

2011-06-30 02:19 . 2011-06-30 02:19 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-06-30 02:19 . 2011-06-30 02:19 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-06-24 14:10 . 2010-04-20 16:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:30 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:30 . 2008-04-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:30 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2008-04-15 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 07:27 . 2011-06-22 07:27 82944 ----a-w- c:\windows\ST6UNST.EXE

2011-06-22 07:26 . 2011-06-22 07:26 127489 ----a-w- c:\windows\system32\Re_mail.Dll

2011-06-20 17:44 . 2008-04-15 12:00 330240 ----a-w- c:\windows\system32\winsrv.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 . 1791B79392B2C5681F220423E7B14DCA . 361600 . . [5.1.2600.5625] . . c:\windows\$NtUninstallKB2509553$\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 1791B79392B2C5681F220423E7B14DCA . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-15 . 241D706AC46BC7D59B25C58BF1B08F13 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*注意* 空白與合法缺省登錄將不會被顯示

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-02 205256]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-08-16 5242488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]

"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-04-13 611712]

"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]

"USB Security"="c:\program files\USB Disk Security\USBGuard.exe" [2011-01-31 623520]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-06 281768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-08-03 273544]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2011-07-14 2885064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-07-20 1038848]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

.

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\

Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2010-4-21 151552]

Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2010-4-21 106496]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0090404]

IME File REG_SZ MSTCICJA.IME

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.85\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.85\\XLBugReport.exe"=

"c:\\Documents and Settings\\david\\桌面\\Thunder(迅雷)_v5.9.28.1564(去廣告免安裝版)\\Program\\Thunder.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"18868:TCP"= 18868:TCP:BitComet 18868 TCP

"18868:UDP"= 18868:UDP:BitComet 18868 UDP

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010/4/21 下午 03:50 717296]

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2011/7/14 下午 07:09 121560]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2011/2/9 下午 11:57 340136]

R2 AntiVirSchedulerService;Avira AntiVir 排程管理員;c:\program files\Avira\AntiVir Desktop\sched.exe [2011/2/9 下午 11:57 136360]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2011/2/9 下午 11:57 428200]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011/1/6 下午 03:15 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011/1/6 下午 03:15 22712]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\david\桌面\SUPERAntiSpyware\SASDIFSV.SYS --> c:\documents and settings\david\桌面\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\david\桌面\SUPERAntiSpyware\SASKUTIL.SYS --> c:\documents and settings\david\桌面\SUPERAntiSpyware\SASKUTIL.SYS [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011/1/6 下午 03:15 41272]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011/5/25 上午 09:12 27064]

.

‘計劃任務’ 文件夾 裡的內容

.

2011-09-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1123561945-1532298954-1417001333-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 02:47]

.

2011-09-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1123561945-1532298954-1417001333-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 02:47]

.

.

------- 而外的掃描 -------

.

uStart Page = hxxp://hk.yahoo.com/

IE: &使用BitComet下載 - c:\documents and settings\david\桌面\BitComet_v1.27(免安裝版)\BitComet.exe/AddLink.htm

IE: &使用BitComet下載全部連結 - c:\documents and settings\david\桌面\BitComet_v1.27(免安裝版)\BitComet.exe/AddAllLink.htm

IE: 使用迅雷下載 - c:\documents and settings\david\桌面\Thunder(迅雷)_v5.9.28.1564(去廣告免安裝版)\Program\geturl.htm

IE: 使用迅雷下載全部連結 - c:\documents and settings\david\桌面\Thunder(迅雷)_v5.9.28.1564(去廣告免安裝版)\Program\getallurl.htm

IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll

TCP: DhcpNameServer = 192.168.8.1

TCP: Interfaces\{0D99A62F-B95E-4E56-90C8-32222A61DA85}: NameServer = 218.102.60.110 218.102.62.71

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKLM-Run-Cmaudio - cmicnfg.cpl

HKLM-Run-DivX Download Manager - c:\program files\DivX\DivX Plus Web Player\DDmService.exe

HKLM-Run-USBAntivirus.exe - c:\program files\USBAntivirus\USBAntivirus.exe

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-09 08:57

Windows 5.1.2600 Service Pack 3 NTFS

.

掃描被隱藏的進程 ...

.

掃描被隱藏的啟動組 ...

.

掃描被隱藏的文件 ...

.

掃描完成

被隱藏的檔案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1123561945-1532298954-1417001333-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Outlook\Settings\芏b?_U *O*u*t*l*o*o*k* *?\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1123561945-1532298954-1417001333-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Outlook\Settings\芏b?_U *O*u*t*l*o*o*k* *?\View]

"Data"=hex:04,16,00,37,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]

@="BDATuner.元件.1"

.

--------------------- 運行進程下的動態鏈接庫 ---------------------

.

- - - - - - - > 'winlogon.exe'(428)

c:\windows\system32\wdmaud.drv

.

- - - - - - - > 'lsass.exe'(484)

c:\program files\Avira\AntiVir Desktop\avsda.dll

.

完成時間: 2011-09-09 10:15:16

ComboFix-quarantined-files.txt 2011-09-09 02:15

.

Pre-Run: 38,812,758,016 位元組可用

Post-Run: 39,421,022,208 位元組可用

.

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

.

- - End Of File - - 7D66B92B182D785FC7884E28E22A3123

DDS log:

No log can be producted with several trials.

Link to post
Share on other sites

DDS log after system reboot:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by david at 10:51:53 on 2011-09-09

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1024.489 [GMT 8:00]

.

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

FW: ZoneAlarm Pro Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\USB Disk Security\USBGuard.exe

C:\WINDOWS\system32\zstatus.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Real\RealPlayer\update\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\conime.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://hk.yahoo.com/

BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\comdlls\TDMediaDetector5.9.28.1564.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\tools\bitcometbho.dll

BHO: Thunder Browser Helper: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\comdlls\xunleiBHO_Now.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync

mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [hp 1000 firmware] c:\program files\hp laserjet 1000\fwdl.exe

mRun: [uSB Security] c:\program files\usb disk security\USBGuard.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe

IE: &使用BitComet下載 - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\BitComet.exe/AddLink.htm

IE: &使用BitComet下載全部連結 - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\BitComet.exe/AddAllLink.htm

IE: 使用迅雷下載 - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\program\geturl.htm

IE: 使用迅雷下載全部連結 - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\program\getallurl.htm

IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\tools\bitcometbho.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\avira\antivir desktop\avsda.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.8.1

TCP: Interfaces\{3013B48B-7844-41DB-9F61-511F896B9628} : DhcpNameServer = 192.168.8.1

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2011-7-14 121560]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-9 11608]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-8-24 528128]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2011-2-9 340136]

R2 AntiVirSchedulerService;Avira AntiVir 排程管理員;c:\program files\avira\antivir desktop\sched.exe [2011-2-9 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-9 269480]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-2-9 428200]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-9 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-6 366640]

R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-29 275968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-6 22712]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\david\桌面\superantispyware\sasdifsv.sys --> c:\documents and settings\david\桌面\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\david\桌面\superantispyware\saskutil.sys --> c:\documents and settings\david\桌面\superantispyware\SASKUTIL.SYS [?]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 cpuz132;cpuz132;\??\c:\docume~1\david\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\david\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-1-6 41272]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-25 27064]

.

=============== Created Last 30 ================

.

2011-09-09 00:23:37 -------- d-sha-r- C:\cmdcons

2011-09-09 00:17:59 98816 ----a-w- c:\windows\sed.exe

2011-09-09 00:17:59 518144 ----a-w- c:\windows\SWREG.exe

2011-09-09 00:17:59 256000 ----a-w- c:\windows\PEV.exe

2011-09-09 00:17:59 208896 ----a-w- c:\windows\MBR.exe

2011-09-09 00:17:33 -------- d-----w- C:\ComboFix

2011-09-06 22:45:31 -------- d-----w- c:\documents and settings\david\application data\Software Informer

2011-08-27 08:19:19 892928 ----a-w- c:\windows\system32\iconv.dll

2011-08-27 08:19:19 675840 ----a-w- c:\windows\system32\ac3filter.ax

2011-08-27 08:19:19 496640 ----a-w- c:\windows\system32\xvid.ax

2011-08-27 08:19:02 -------- d-----w- c:\program files\Aimersoft

2011-08-23 23:08:24 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-08-23 23:08:23 -------- d-----w- c:\windows\system32\ZoneLabs

2011-08-23 23:08:18 -------- d-----w- c:\program files\Zone Labs

2011-08-23 22:57:56 -------- d-----w- c:\windows\Internet Logs

2011-08-21 10:30:14 -------- d-----w- c:\program files\LG Software Innovations

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin6.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin5.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin4.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin3.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin2.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin.dll

2011-08-19 00:45:21 -------- d-----w- c:\documents and settings\david\local settings\application data\Modiac

2011-08-19 00:45:21 -------- d-----w- c:\documents and settings\david\application data\Modiac

2011-08-18 16:24:14 -------- d-----w- c:\program files\DVDFab 8 Qt

2011-08-16 06:29:26 -------- d-----w- c:\program files\SlySoft

2011-08-16 02:56:23 -------- dc-h--w- c:\documents and settings\all users\application data\{39448D14-6F91-434E-9F7F-270990A869D3}

2011-08-16 02:56:17 -------- d-----w- c:\program files\AntiLogger

2011-08-14 09:09:18 102439 ----a-w- c:\windows\system32\sipr3260.dll

2011-08-14 09:09:04 65536 ----a-w- c:\windows\system32\cook.dll

2011-08-14 09:09:04 217127 ----a-w- c:\windows\system32\drv43260.dll

2011-08-14 09:09:04 208935 ----a-w- c:\windows\system32\drv33260.dll

2011-08-13 14:12:12 -------- d-----w- c:\documents and settings\david\application data\SUPERAntiSpyware.com

2011-08-13 14:12:12 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-08-12 13:46:09 232448 ----a-w- c:\windows\system32\mp3fhg.acm

2011-08-12 13:46:03 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-08-12 13:46:02 151552 ----a-w- c:\windows\system32\is-L0CTE.tmp

2011-08-12 13:46:01 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-08-12 13:46:01 243200 ----a-w- c:\windows\system32\xvidvfw.dll

2011-08-12 13:46:01 237568 ----a-w- c:\windows\system32\yv12vfw.dll

2011-08-12 13:45:53 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-08-12 13:45:29 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-08-12 13:38:55 -------- d-----w- c:\program files\Combined Community Codec Pack

.

==================== Find3M ====================

.

2011-09-03 10:17:16 591872 ----a-w- c:\windows\system32\crypt32.dll

2011-08-30 14:25:26 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-12 13:25:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-03 04:51:44 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-08-03 04:51:44 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-07-28 10:27:08 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 03:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 03:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 11:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 11:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 10:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 10:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-30 11:36:47 143361 ----a-w- c:\windows\system32\DartFtpServer.dll

2011-06-30 11:36:47 118785 ----a-w- c:\windows\system32\DartWeb.dll

2011-06-30 11:36:46 98305 ----a-w- c:\windows\system32\DartServer.dll

2011-06-30 11:36:46 94209 ----a-w- c:\windows\system32\DartFtpUtil.dll

2011-06-30 11:36:46 221185 ----a-w- c:\windows\system32\DartSock.dll

2011-06-30 02:19:43 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-06-30 02:19:43 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:30:26 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:30:24 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:30:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 07:27:48 82944 ----a-w- c:\windows\ST6UNST.EXE

2011-06-22 07:26:47 127489 ----a-w- c:\windows\system32\Re_mail.Dll

2011-06-20 17:44:44 330240 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 10:53:16.65 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

ComboFix log :

ComboFix 11-09-13.01 - david /09/13 星期二 21:09:42.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1024.475 [GMT 8:00]

執行位置: c:\documents and settings\david\桌面\ComboFix.exe

Command switches used :: c:\documents and settings\david\桌面\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((( 2011-08-13 至 2011-09-13 的新的檔案 )))))))))))))))))))))))))))))))

.

.

2011-09-12 03:25 . 2011-09-12 03:25 -------- d-----w- c:\program files\7-Zip

2011-09-11 12:46 . 2011-09-11 15:52 -------- d-----w- c:\program files\proXPN

2011-09-10 23:05 . 2011-09-10 23:05 -------- d-----w- c:\program files\LG Software Innovations

2011-09-06 22:45 . 2011-09-06 23:46 -------- d-----w- c:\documents and settings\david\Application Data\Software Informer

2011-09-01 00:24 . 2011-09-01 00:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-08-27 08:19 . 2011-08-18 01:27 892928 ----a-w- c:\windows\system32\iconv.dll

2011-08-27 08:19 . 2011-08-18 01:27 675840 ----a-w- c:\windows\system32\ac3filter.ax

2011-08-27 08:19 . 2011-08-18 01:27 496640 ----a-w- c:\windows\system32\xvid.ax

2011-08-27 08:19 . 2011-08-27 08:25 -------- d-----w- c:\program files\Aimersoft

2011-08-23 23:08 . 2010-07-20 13:22 69120 ----a-w- c:\windows\system32\zlcomm.dll

2011-08-23 23:08 . 2010-07-20 13:22 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2011-08-23 23:08 . 2010-07-20 13:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-08-23 23:08 . 2011-08-23 23:08 -------- d-----w- c:\windows\system32\ZoneLabs

2011-08-23 23:08 . 2011-08-23 23:08 -------- d-----w- c:\program files\Zone Labs

2011-08-23 22:57 . 2011-09-13 13:01 -------- d-----w- c:\windows\Internet Logs

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin6.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin5.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin4.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin3.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin2.dll

2011-08-20 17:10 . 2011-08-20 17:10 159744 ----a-w- c:\program files\Internet Explorer\外掛模組\npqtplugin.dll

2011-08-20 17:09 . 2011-08-20 17:10 -------- d-----w- c:\program files\QuickTime

2011-08-19 00:45 . 2011-08-19 00:45 -------- d-----w- c:\documents and settings\david\Application Data\Modiac

2011-08-19 00:45 . 2011-08-19 00:45 -------- d-----w- c:\documents and settings\david\Local Settings\Application Data\Modiac

2011-08-18 16:24 . 2011-08-18 16:24 -------- d-----w- c:\program files\DVDFab 8 Qt

2011-08-16 06:29 . 2011-08-16 06:29 -------- d-----w- c:\program files\SlySoft

2011-08-16 02:56 . 2011-08-16 02:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{39448D14-6F91-434E-9F7F-270990A869D3}

2011-08-16 02:56 . 2011-08-16 02:56 -------- d-----w- c:\program files\AntiLogger

.

.

.

(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-03 10:17 . 2008-04-15 12:00 591872 ----a-w- c:\windows\system32\crypt32.dll

2011-08-30 14:25 . 2011-02-09 15:57 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-30 14:25 . 2011-02-09 15:57 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-12 13:25 . 2011-06-13 03:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-08 08:00 . 2011-08-12 13:45 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-08-03 04:51 . 2011-08-03 04:51 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-08-03 04:51 . 2011-08-03 04:51 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-07-28 10:27 . 2011-07-28 10:27 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2011-07-16 14:17 . 2011-08-12 13:46 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-07-16 14:17 . 2011-08-12 13:46 151552 ----a-w- c:\windows\system32\is-L0CTE.tmp

2011-07-15 13:29 . 2008-04-15 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 03:20 . 2011-07-12 03:20 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 03:20 . 2011-07-12 03:20 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-08 14:02 . 2008-04-15 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 11:52 . 2011-01-06 07:15 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 11:52 . 2011-01-06 07:15 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 10:37 . 2011-07-05 10:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 10:37 . 2011-07-05 10:37 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-30 11:36 . 2011-06-22 07:26 143361 ----a-w- c:\windows\system32\DartFtpServer.dll

2011-06-30 11:36 . 2011-06-22 07:26 118785 ----a-w- c:\windows\system32\DartWeb.dll

2011-06-30 11:36 . 2011-06-22 07:26 98305 ----a-w- c:\windows\system32\DartServer.dll

2011-06-30 11:36 . 2011-06-22 07:26 94209 ----a-w- c:\windows\system32\DartFtpUtil.dll

2011-06-30 11:36 . 2011-06-22 07:26 221185 ----a-w- c:\windows\system32\DartSock.dll

2011-06-30 02:19 . 2011-06-30 02:19 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-06-30 02:19 . 2011-06-30 02:19 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-06-24 14:44 . 2011-08-12 13:46 243200 ----a-w- c:\windows\system32\xvidvfw.dll

2011-06-24 14:28 . 2011-08-12 13:46 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-06-24 14:10 . 2010-04-20 16:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:30 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:30 . 2008-04-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:30 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2008-04-15 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 07:27 . 2011-06-22 07:27 82944 ----a-w- c:\windows\ST6UNST.EXE

2011-06-22 07:26 . 2011-06-22 07:26 127489 ----a-w- c:\windows\system32\Re_mail.Dll

2011-06-20 17:44 . 2008-04-15 12:00 330240 ----a-w- c:\windows\system32\winsrv.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-09-09_01.33.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-12 23:19 . 2011-09-12 23:19 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat

+ 2011-06-07 12:44 . 2011-06-07 12:44 26112 c:\windows\system32\drivers\tap0901.sys

+ 2011-08-23 23:08 . 2011-09-12 23:38 4212 c:\windows\system32\zllictbl.dat

- 2011-08-23 23:08 . 2011-09-08 23:31 4212 c:\windows\system32\zllictbl.dat

.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*注意* 空白與合法缺省登錄將不會被顯示

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-02 205256]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-08-16 5242488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]

"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-04-13 611712]

"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]

"USB Security"="c:\program files\USB Disk Security\USBGuard.exe" [2011-01-31 623520]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-06 281768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-08-03 273544]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2011-07-14 2885064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-07-20 1038848]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

.

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\

Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2010-4-21 151552]

Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2010-4-21 106496]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0090404]

IME File REG_SZ MSTCICJA.IME

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.85\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.85\\XLBugReport.exe"=

"c:\\Documents and Settings\\david\\桌面\\Thunder(迅雷)_v5.9.28.1564(去廣告免安裝版)\\Program\\Thunder.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"18868:TCP"= 18868:TCP:BitComet 18868 TCP

"18868:UDP"= 18868:UDP:BitComet 18868 UDP

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010/4/21 下午 03:50 717296]

R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2011/7/14 下午 07:09 121560]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2011/2/9 下午 11:57 340136]

R2 AntiVirSchedulerService;Avira AntiVir 排程管理員;c:\program files\Avira\AntiVir Desktop\sched.exe [2011/2/9 下午 11:57 136360]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2011/2/9 下午 11:57 428200]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011/1/6 下午 03:15 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011/1/6 下午 03:15 22712]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\david\桌面\SUPERAntiSpyware\SASDIFSV.SYS --> c:\documents and settings\david\桌面\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\david\桌面\SUPERAntiSpyware\SASKUTIL.SYS --> c:\documents and settings\david\桌面\SUPERAntiSpyware\SASKUTIL.SYS [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011/1/6 下午 03:15 41272]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011/5/25 上午 09:12 27064]

.

‘計劃任務’ 文件夾 裡的內容

.

2011-09-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1123561945-1532298954-1417001333-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 02:47]

.

2011-09-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1123561945-1532298954-1417001333-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 02:47]

.

.

------- 而外的掃描 -------

.

uStart Page = hxxp://hk.yahoo.com/

IE: &使用BitComet下載 - c:\documents and settings\david\桌面\BitComet_v1.27(免安裝版)\BitComet.exe/AddLink.htm

IE: &使用BitComet下載全部連結 - c:\documents and settings\david\桌面\BitComet_v1.27(免安裝版)\BitComet.exe/AddAllLink.htm

IE: 使用迅雷下載 - c:\documents and settings\david\桌面\Thunder(迅雷)_v5.9.28.1564(去廣告免安裝版)\Program\geturl.htm

IE: 使用迅雷下載全部連結 - c:\documents and settings\david\桌面\Thunder(迅雷)_v5.9.28.1564(去廣告免安裝版)\Program\getallurl.htm

IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll

TCP: DhcpNameServer = 192.168.8.1

TCP: Interfaces\{0D99A62F-B95E-4E56-90C8-32222A61DA85}: NameServer = 218.102.60.110 218.102.62.71

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-13 21:32

Windows 5.1.2600 Service Pack 3 NTFS

.

掃描被隱藏的進程 ...

.

掃描被隱藏的啟動組 ...

.

掃描被隱藏的文件 ...

.

掃描完成

被隱藏的檔案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1123561945-1532298954-1417001333-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Outlook\Settings\芏b?_U *O*u*t*l*o*o*k* *?\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1123561945-1532298954-1417001333-1003\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Outlook\Settings\芏b?_U *O*u*t*l*o*o*k* *?\View]

"Data"=hex:04,16,00,37,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]

@="BDATuner.元件.1"

.

--------------------- 運行進程下的動態鏈接庫 ---------------------

.

- - - - - - - > 'lsass.exe'(544)

c:\program files\Avira\AntiVir Desktop\avsda.dll

.

- - - - - - - > 'explorer.exe'(16736)

c:\windows\system32\WININET.dll

c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

完成時間: 2011-09-13 21:38:54

ComboFix-quarantined-files.txt 2011-09-13 13:38

ComboFix2.txt 2011-09-09 02:15

.

Pre-Run: 29,107,970,048 位元組可用

Post-Run: 29,251,739,648 位元組可用

.

- - End Of File - - 1149423B6E7E12C1306BC7C43B489F47

DDS log :

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by david at 21:41:24 on 2011-09-13

Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1024.449 [GMT 8:00]

.

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

FW: ZoneAlarm Pro Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\USB Disk Security\USBGuard.exe

C:\WINDOWS\system32\zstatus.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Real\RealPlayer\update\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\conime.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://hk.yahoo.com/

BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\comdlls\TDMediaDetector5.9.28.1564.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\tools\bitcometbho.dll

BHO: Thunder Browser Helper: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\comdlls\xunleiBHO_Now.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync

mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [hp 1000 firmware] c:\program files\hp laserjet 1000\fwdl.exe

mRun: [uSB Security] c:\program files\usb disk security\USBGuard.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe

IE: &使用BitComet下載 - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\BitComet.exe/AddLink.htm

IE: &使用BitComet下載全部連結 - c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\BitComet.exe/AddAllLink.htm

IE: 使用迅雷下載 - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\program\geturl.htm

IE: 使用迅雷下載全部連結 - c:\documents and settings\david\桌面\thunder(迅雷)_v5.9.28.1564(去廣告吻安裝版)\program\getallurl.htm

IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\documents and settings\david\桌面\bitcomet_v1.27(吻安裝版)\tools\bitcometbho.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\avira\antivir desktop\avsda.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.8.1

TCP: Interfaces\{0D99A62F-B95E-4E56-90C8-32222A61DA85} : NameServer = 218.102.60.110 218.102.62.71

TCP: Interfaces\{3013B48B-7844-41DB-9F61-511F896B9628} : DhcpNameServer = 192.168.8.1

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2011-7-14 121560]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-9 11608]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-8-24 528128]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2011-2-9 340136]

R2 AntiVirSchedulerService;Avira AntiVir 排程管理員;c:\program files\avira\antivir desktop\sched.exe [2011-2-9 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-9 269480]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-2-9 428200]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-9 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-6 366640]

R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-29 275968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-6 22712]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\david\桌面\superantispyware\sasdifsv.sys --> c:\documents and settings\david\桌面\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\david\桌面\superantispyware\saskutil.sys --> c:\documents and settings\david\桌面\superantispyware\SASKUTIL.SYS [?]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 cpuz132;cpuz132;\??\c:\docume~1\david\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\david\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-1-6 41272]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-25 27064]

.

=============== Created Last 30 ================

.

2011-09-11 12:46:17 -------- d-----w- c:\program files\proXPN

2011-09-10 23:05:34 -------- d-----w- c:\program files\LG Software Innovations

2011-09-09 00:23:37 -------- d-sha-r- C:\cmdcons

2011-09-09 00:17:59 98816 ----a-w- c:\windows\sed.exe

2011-09-09 00:17:59 518144 ----a-w- c:\windows\SWREG.exe

2011-09-09 00:17:59 256000 ----a-w- c:\windows\PEV.exe

2011-09-09 00:17:59 208896 ----a-w- c:\windows\MBR.exe

2011-09-06 22:45:31 -------- d-----w- c:\documents and settings\david\application data\Software Informer

2011-08-27 08:19:19 892928 ----a-w- c:\windows\system32\iconv.dll

2011-08-27 08:19:19 675840 ----a-w- c:\windows\system32\ac3filter.ax

2011-08-27 08:19:19 496640 ----a-w- c:\windows\system32\xvid.ax

2011-08-27 08:19:02 -------- d-----w- c:\program files\Aimersoft

2011-08-23 23:08:24 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-08-23 23:08:23 -------- d-----w- c:\windows\system32\ZoneLabs

2011-08-23 23:08:18 -------- d-----w- c:\program files\Zone Labs

2011-08-23 22:57:56 -------- d-----w- c:\windows\Internet Logs

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin6.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin5.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin4.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin3.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin2.dll

2011-08-20 17:10:44 159744 ----a-w- c:\program files\internet explorer\外掛模組\npqtplugin.dll

2011-08-19 00:45:21 -------- d-----w- c:\documents and settings\david\local settings\application data\Modiac

2011-08-19 00:45:21 -------- d-----w- c:\documents and settings\david\application data\Modiac

2011-08-18 16:24:14 -------- d-----w- c:\program files\DVDFab 8 Qt

2011-08-16 06:29:26 -------- d-----w- c:\program files\SlySoft

2011-08-16 02:56:23 -------- dc-h--w- c:\documents and settings\all users\application data\{39448D14-6F91-434E-9F7F-270990A869D3}

2011-08-16 02:56:17 -------- d-----w- c:\program files\AntiLogger

.

==================== Find3M ====================

.

2011-09-03 10:17:16 591872 ----a-w- c:\windows\system32\crypt32.dll

2011-08-30 14:25:26 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-12 13:25:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-08 08:00:00 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-08-03 04:51:44 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-08-03 04:51:44 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-07-28 10:27:08 121464 ----a-w- c:\windows\system32\drivers\AnyDVD.sys

2011-07-16 14:17:06 151552 ----a-w- c:\windows\system32\is-L0CTE.tmp

2011-07-16 14:17:06 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 03:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 03:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 11:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 11:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 10:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 10:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-30 11:36:47 143361 ----a-w- c:\windows\system32\DartFtpServer.dll

2011-06-30 11:36:47 118785 ----a-w- c:\windows\system32\DartWeb.dll

2011-06-30 11:36:46 98305 ----a-w- c:\windows\system32\DartServer.dll

2011-06-30 11:36:46 94209 ----a-w- c:\windows\system32\DartFtpUtil.dll

2011-06-30 11:36:46 221185 ----a-w- c:\windows\system32\DartSock.dll

2011-06-30 02:19:43 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-06-30 02:19:43 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-06-24 14:44:30 243200 ----a-w- c:\windows\system32\xvidvfw.dll

2011-06-24 14:28:22 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:30:26 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:30:24 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:30:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-22 07:27:48 82944 ----a-w- c:\windows\ST6UNST.EXE

2011-06-22 07:26:47 127489 ----a-w- c:\windows\system32\Re_mail.Dll

2011-06-20 17:44:44 330240 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 21:42:26.37 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

EsetOnlineScanner\log.txt :

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=58e85233d50df146a207869296f00af4

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-16 10:29:25

# local_time=2011-09-16 06:29:25 )

# country="Taiwan"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1792 16777175 100 0 18900278 18900278 0 0

# compatibility_mode=8192 67108863 100 0 426 426 0 0

# compatibility_mode=9217 16777214 75 70 2026289 36537211 0 0

# scanned=16721

# found=1

# cleaned=1

# scan_time=1669

C:\Documents and Settings\david\桌面\UniblueSpeedUpMyPc2011_v5.1.1.3+License\speedupmypc.exe Win32/SpeedUpMyPC application (deleted - quarantined) 00000000000000000000000000000000 esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=58e85233d50df146a207869296f00af4

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-16 04:53:58

# local_time=2011-09-17 12:53:58 )

# country="Taiwan"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1792 16777175 100 0 18902058 18902058 0 0

# compatibility_mode=8192 67108863 100 0 2206 2206 0 0

# compatibility_mode=9217 16777214 75 70 2028069 36538991 0 0

# scanned=80072

# found=1

# cleaned=1

# scan_time=22966

C:\System Volume Information\_restore{7AB7F0FD-EA11-498F-B6F7-5AB95BAF1E4F}\RP12\A0011895.exe Win32/SpeedUpMyPC application (deleted - quarantined) 00000000000000000000000000000000 C

checkup.txt :

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Avira AntiVir Premium

ZoneAlarm Pro

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 26

Flash Player Out of Date!

Adobe Flash Player 10.0.2.54

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Zone Labs ZoneAlarm zlclient.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 26

Adobe Flash Player 10.0.2.54

Restart your computer.

Get the latest version of Java and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

EsetOnlineScanner\log.txt :

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=68a71ebc28aacc45ad696a264971fb86

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-18 12:31:15

# local_time=2011-09-18 08:31:15 )

# country="Taiwan"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1792 16777191 100 0 19067102 19067102 0 0

# compatibility_mode=8192 67108863 100 0 361 361 0 0

# compatibility_mode=9217 16777214 75 70 2193113 36704035 0 0

# scanned=69267

# found=0

# cleaned=0

# scan_time=14954

checkup log.txt :

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Avira AntiVir Premium

ESET Online Scanner v3

ZoneAlarm Pro

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 27

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Zone Labs ZoneAlarm zlclient.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

I have already uninstall ComboFix and Security check as previously advised.

Do you mean now I have to re-start download and run ComboFix / Security Check again to have the new log posted

and thereafter, to have ComboFix and Security Check deleted. Thanks!

Link to post
Share on other sites

There is no problem with my pc now. But there is still one file left in Quarantine of MBAM which cannot be removed.

The file details are :

File: C:\Documents & Settings\funshion\historytorrent\十三刺客.MP4.fsp

Detected as Adware funshion

The file still exists on quarantine page even with its normal removal & system reboot.

I tried to remove it again in Safe Mode but still it exists.

Do I have to remove MBAM and have it re-installed so as to get rid of that File. Please help and advise what remedy action to be taken and many thanks !

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.