[Active] In China with a tone of viruses, with requested log

vanxiaolan · 3rd January 2010

China is known for it's tone and a half of viruses. Since I use a usb key between my laptop and my offices computer, I got infected reallye easily. Here are the logs:

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 21/04/2009 18:29:55
System Uptime: 01/03/2010 13:32:23 (-1368 hours ago)

Motherboard: LENOVO | | JIWA1
Processor: Intel Pentium III Xeon 处理器 | U2E1 | 1995/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 15 GiB total, 5,188 GiB free.
D: is FIXED (NTFS) - 68 GiB total, 68,274 GiB free.
E: is FIXED (NTFS) - 68 GiB total, 64,45 GiB free.
F: is FIXED (NTFS) - 80 GiB total, 79,345 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1395 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_04B514E4&REV_01\4&492937F&0&00E2
Manufacturer: Broadcom
Name: Dell Wireless 1395 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_04B514E4&REV_01\4&492937F&0&00E2
Service: BCM43XX

==== System Restore Points ===================

No restore point in system.

==== Image File Execution Options =============

IFEO: 360rp.EXE - ntsd -d
IFEO: 360rpt.EXE - ntsd -d
IFEO: 360safe.EXE - ntsd -d
IFEO: 360safebox.EXE - ntsd -d
IFEO: 360safeup.EXE - ntsd -d
IFEO: 360sd.EXE - ntsd -d
IFEO: 360tray.EXE - ntsd -d
IFEO: 360upp.EXE - ntsd -d
IFEO: ANTIARP.EXE - ntsd -d
IFEO: arpfw.EXE - ntsd -d
IFEO: ArSwp.EXE - ntsd -d
IFEO: Ast.EXE - ntsd -d
IFEO: AutoRun.EXE - ntsd -d
IFEO: AutoRunKiller.EXE - ntsd -d
IFEO: AvMonitor.EXE - ntsd -d
IFEO: ccEvtMgr.EXE - ntsd -d
IFEO: egui.EXE - ntsd -d
IFEO: ekrn.EXE - ntsd -d
IFEO: Frameworkservice.EXE - ntsd -d
IFEO: GFUpd.EXE - ntsd -d
IFEO: GuardField.EXE - ntsd -d
IFEO: HijackThis.EXE - ntsd -d
IFEO: IceSword.EXE - ntsd -d
IFEO: Iparmor.EXE - ntsd -d
IFEO: KASARP.EXE - ntsd -d
IFEO: kav32.EXE - ntsd -d
IFEO: KAVPFW.EXE - ntsd -d
IFEO: kavstart.EXE - ntsd -d
IFEO: kissvc.EXE - ntsd -d
IFEO: KpfwSvc.EXE - ntsd -d
IFEO: KRegEx.EXE - ntsd -d
IFEO: krnl360svc.EXE - ntsd -d
IFEO: KSWebShield.EXE - ntsd -d
IFEO: KVMonxp.KXP - ntsd -d
IFEO: KVSrvXP.EXE - ntsd -d
IFEO: KVWSC.EXE - ntsd -d
IFEO: kwatch.EXE - ntsd -d
IFEO: LiveUpdate360.EXE - ntsd -d
IFEO: mcshield.EXE - ntsd -d
IFEO: Mmsk.EXE - ntsd -d
IFEO: naPrdMgr.EXE - ntsd -d
IFEO: Navapsvc.EXE - ntsd -d
IFEO: nod32krn.EXE - ntsd -d
IFEO: Nod32kui.EXE - ntsd -d
IFEO: PFW.EXE - ntsd -d
IFEO: RAV.EXE - ntsd -d
IFEO: RavMon.EXE - ntsd -d
IFEO: RavMonD.EXE - ntsd -d
IFEO: Ravservice.EXE - ntsd -d
IFEO: RavStub.EXE - ntsd -d
IFEO: RavTask.EXE - ntsd -d
IFEO: RAVTRAY.EXE - ntsd -d
IFEO: Regedit.EXE - ntsd -d
IFEO: rfwmain.EXE - ntsd -d
IFEO: rfwProxy.EXE - ntsd -d
IFEO: rfwsrv.EXE - ntsd -d
IFEO: Rfwstub.EXE - ntsd -d
IFEO: RsAgent.EXE - ntsd -d
IFEO: Rsaupd.EXE - ntsd -d
IFEO: RsMain.EXE - ntsd -d
IFEO: RSTray.EXE - ntsd -d
IFEO: Runiep.EXE - ntsd -d
IFEO: safeboxTray.EXE - ntsd -d
IFEO: ScanFrm.EXE - ntsd -d
IFEO: SREngLdr.EXE - ntsd -d
IFEO: TrojanDetector.EXE - ntsd -d
IFEO: Trojanwall.EXE - ntsd -d
IFEO: TrojDie.KXP - ntsd -d
IFEO: VPC32.EXE - ntsd -d
IFEO: VPTRAY.EXE - ntsd -d
IFEO: VsTskMgr.EXE - ntsd -d
IFEO: WOPTILITIES.EXE - ntsd -d
IFEO: ZhuDongFangYu.EXE - ntsd -d

==== Hosts File Hijack ======================

Hosts: 204.152.194.50 freedur.com
Hosts: 204.152.194.50 www.freedur.com
Hosts: 204.152.194.50 clients.freedur.com
Hosts: 204.152.194.50 blog.freedur.com
Hosts: 204.152.194.50 freedur.net
Hosts: 204.152.194.50 www.freedur.net
Hosts: 204.152.194.50 clients.freedur.net
Hosts: 204.152.194.50 blog.freedur.net
Hosts: 204.152.194.50 freedur.org
Hosts: 204.152.194.50 www.freedur.org
Hosts: 204.152.194.50 clients.freedur.org
Hosts: 204.152.194.50 blog.freedur.org

==== Installed Programs ======================

freeime 6.0
2007 Office system 兼容包
360保险箱
360安全卫士
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1 - Fran?ais
aMSN 0.97.2
Assistant de connexion Windows Live
AVG Free 8.5
CCleaner
Conexant HD Audio
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio - KB888111
HiJackThis
Hotfix for Windows XP (KB915865)
Hotspot Shield 1.34
Installation Windows Live
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
JMicron JMB38X Flash Media Controller
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.6)
MSVCRT
NVIDIA Drivers
OGA Notifier 1.7.0105.14.0
OpenAL
Outil de téléchargement Windows Live
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.55.03
Segoe UI
Skydur 3.0.0.3486
Skype web features
Skype? 4.1
StuffIt Standard
SUPERAntiSpyware Free Edition
VLC media player 1.0.2
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 7 安全更新 (KB938127-v2)
Windows Internet Explorer 7 安全更新 (KB976325)
Windows Live Call
Windows Live Communications Platform
Windows Live Mail
Windows Live Messenger
Windows Media Player (KB911564) 安全更新
Windows Media Player (KB952069) 安全更新
Windows Media Player (KB954155) 安全更新
Windows Media Player (KB968816) 安全更新
Windows Media Player (KB973540) 安全更新
Windows Media Player 6.4 (KB925398) 安全更新
Windows Media Player 9 (KB917734) 安全更新
Windows XP 修补程序 (KB934428-v3)
Windows XP 修补程序 (KB935843)
Windows XP 修补程序 (KB952287)
Windows XP 修补程序 (KB976098-v2)
Windows XP 修补程序包 - KB873339
Windows XP 修补程序包 - KB885835
Windows XP 修补程序包 - KB885836
Windows XP 修补程序包 - KB888113
Windows XP 修补程序包 - KB888302
Windows XP 修补程序包 - KB890859
Windows XP 修补程序包 - KB891781
Windows XP 安全更新 (KB890046)
Windows XP 安全更新 (KB893756)
Windows XP 安全更新 (KB896358)
Windows XP 安全更新 (KB896423)
Windows XP 安全更新 (KB896428)
Windows XP 安全更新 (KB899587)
Windows XP 安全更新 (KB899589)
Windows XP 安全更新 (KB899591)
Windows XP 安全更新 (KB901017)
Windows XP 安全更新 (KB901190)
Windows XP 安全更新 (KB901214)
Windows XP 安全更新 (KB902400)
Windows XP 安全更新 (KB905414)
Windows XP 安全更新 (KB905749)
Windows XP 安全更新 (KB908519)
Windows XP 安全更新 (KB911927)
Windows XP 安全更新 (KB913580)
Windows XP 安全更新 (KB914388)
Windows XP 安全更新 (KB914389)
Windows XP 安全更新 (KB917953)
Windows XP 安全更新 (KB918118)
Windows XP 安全更新 (KB918439)
Windows XP 安全更新 (KB919007)
Windows XP 安全更新 (KB920670)
Windows XP 安全更新 (KB920683)
Windows XP 安全更新 (KB920685)
Windows XP 安全更新 (KB921503)
Windows XP 安全更新 (KB922819)
Windows XP 安全更新 (KB923191)
Windows XP 安全更新 (KB923414)
Windows XP 安全更新 (KB923561)
Windows XP 安全更新 (KB923980)
Windows XP 安全更新 (KB924270)
Windows XP 安全更新 (KB924667)
Windows XP 安全更新 (KB925902)
Windows XP 安全更新 (KB926255)
Windows XP 安全更新 (KB926436)
Windows XP 安全更新 (KB927779)
Windows XP 安全更新 (KB927802)
Windows XP 安全更新 (KB928255)
Windows XP 安全更新 (KB928843)
Windows XP 安全更新 (KB930178)
Windows XP 安全更新 (KB931261)
Windows XP 安全更新 (KB931784)
Windows XP 安全更新 (KB932168)
Windows XP 安全更新 (KB933729)
Windows XP 安全更新 (KB935839)
Windows XP 安全更新 (KB935840)
Windows XP 安全更新 (KB936021)
Windows XP 安全更新 (KB937894)
Windows XP 安全更新 (KB938829)
Windows XP 安全更新 (KB941644)
Windows XP 安全更新 (KB941693)
Windows XP 安全更新 (KB943055)
Windows XP 安全更新 (KB943460)
Windows XP 安全更新 (KB943485)
Windows XP 安全更新 (KB944653)
Windows XP 安全更新 (KB945553)
Windows XP 安全更新 (KB946026)
Windows XP 安全更新 (KB946648)
Windows XP 安全更新 (KB948590)
Windows XP 安全更新 (KB948881)
Windows XP 安全更新 (KB950749)
Windows XP 安全更新 (KB950760)
Windows XP 安全更新 (KB950762)
Windows XP 安全更新 (KB950974)
Windows XP 安全更新 (KB951066)
Windows XP 安全更新 (KB951376-v2)
Windows XP 安全更新 (KB951748)
Windows XP 安全更新 (KB952004)
Windows XP 安全更新 (KB952954)
Windows XP 安全更新 (KB954459)
Windows XP 安全更新 (KB955069)
Windows XP 安全更新 (KB956572)
Windows XP 安全更新 (KB956744)
Windows XP 安全更新 (KB956802)
Windows XP 安全更新 (KB956803)
Windows XP 安全更新 (KB956844)
Windows XP 安全更新 (KB957097)
Windows XP 安全更新 (KB958644)
Windows XP 安全更新 (KB958687)
Windows XP 安全更新 (KB958869)
Windows XP 安全更新 (KB959426)
Windows XP 安全更新 (KB960225)
Windows XP 安全更新 (KB960803)
Windows XP 安全更新 (KB960859)
Windows XP 安全更新 (KB961371-v2)
Windows XP 安全更新 (KB961501)
Windows XP 安全更新 (KB969059)
Windows XP 安全更新 (KB969947)
Windows XP 安全更新 (KB970238)
Windows XP 安全更新 (KB970430)
Windows XP 安全更新 (KB971486)
Windows XP 安全更新 (KB971557)
Windows XP 安全更新 (KB971633)
Windows XP 安全更新 (KB971657)
Windows XP 安全更新 (KB971961)
Windows XP 安全更新 (KB973354)
Windows XP 安全更新 (KB973507)
Windows XP 安全更新 (KB973525)
Windows XP 安全更新 (KB973869)
Windows XP 安全更新 (KB973904)
Windows XP 安全更新 (KB974112)
Windows XP 安全更新 (KB974318)
Windows XP 安全更新 (KB974392)
Windows XP 安全更新 (KB974571)
Windows XP 安全更新 (KB975025)
Windows XP 安全更新 (KB975467)
Windows XP 安全更新 (KB976325)
Windows XP 更新 (KB898461)
Windows XP 更新 (KB908531)
Windows XP 更新 (KB910437)
Windows XP 更新 (KB911280)
Windows XP 更新 (KB916595)
Windows XP 更新 (KB930916)
Windows XP 更新 (KB951978)
Windows XP 更新 (KB961503)
Windows XP 更新 (KB967715)
Windows XP 更新 (KB968389)
Windows XP 更新 (KB971737)
Windows XP 更新 (KB973687)
Windows XP 更新 (KB973815)
WinRAR 压缩文件管理器
ZSMC USB PC Camera (ZS211)
一键GHOST v2008.08.08 奥运版
系统补充驱动包

==== End Of File ===========================

**broni** · 3rd January 2010

This is only one part of DDS log. Please, post the other one.

Did you create custom "hosts" file?

vanxiaolan · 3rd January 2010

Customs host files? I'm not sure what that is... I just ran the diagnostics tool. here is the second part:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 14:24:36,70 on 03/01/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.936.33.2052.18.2008.1460 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\Domino.exe
C:\WINDOWS\system32\B8A091\54FAF1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\aMSN\bin\wish.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\桌面\Installation Fichier\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fr/
uSearch Bar = hxxp://search.fm365.com
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: ss12C40088dll.dll: {5a041f13-a111-12b0-b0cf-f99818aa68a5} - c:\windows\system32\ss12C40088dll.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: SafeMon Class: {b69f34dd-f0f9-42dc-9edd-957187da688d} - c:\program files\360\360safe\safemon\safemon.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Livestation] c:\program files\livestation\Livestation.exe -startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [54FAF1] c:\windows\system32\b8a091\54FAF1.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
mExplorerRun: [360safe] c:\windows\fonts\iexplo.exe
StartupFolder: c:\docume~1\admini~1\「开昙~1\踌痱\骠动\54faf1.lnk - c:\windows\system32\b8a091\54FAF1.EXE
uPolicies-explorer: ClearRecentDocsOnEixt = 01000000
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
IE: {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {92FBB915-40BA-45E5-B815-F5DBA54971F9} = 61.128.128.68,202.202.192.29
TCP: {CAD0A590-06AF-40F5-8800-3F877CBCF967} = 221.5.203.98 221.7.92.98
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ss12C40088dll.dll
SSODL: 4722812 - {5A041F13-A111-12B0-B0CF-F99818AA68A5} - c:\windows\system32\ss12C40088dll.dll
SEH: ss12C40088dll.dll: {5a041f13-a111-12b0-b0cf-f99818aa68a5} - c:\windows\system32\ss12C40088dll.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: 360rp.EXE - ntsd -d
IFEO: 360rpt.EXE - ntsd -d
IFEO: 360safe.EXE - ntsd -d
IFEO: 360safebox.EXE - ntsd -d
IFEO: 360safeup.EXE - ntsd -d

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 204.152.194.50 freedur.com
Hosts: 204.152.194.50 www.freedur.com
Hosts: 204.152.194.50 clients.freedur.com
Hosts: 204.152.194.50 blog.freedur.com
Hosts: 204.152.194.50 freedur.net

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6196vcor.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://fr.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr

fficial
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?mkt=fr-FR&form=MIMWA5&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 2009
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 2009
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-15 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-15 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-15 108552]
R1 SafeBoxKrnl;SafeBoxKrnl;c:\windows\system32\drivers\safeboxkrnl.sys [2009-1-12 221448]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-15 297752]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-4-21 7296]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-2-22 81296]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 360procmon;360procmon;c:\program files\360\360safe\safemon\360procmon.sys [2008-9-28 21976]
S3 ****jss;****jss;\??\c:\windows\fonts\****jss.sys --> c:\windows\fonts\****jss.sys [?]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-4-21 108032]
S3 niuxs;niuxs;\??\c:\windows\fonts\niuxs.sys --> c:\windows\fonts\niuxs.sys [?]
S3 npf;npf;c:\windows\system32\drivers\npf.sys [2009-12-16 42000]

=============== Created Last 30 ================

2010-01-03 05:41:32 0 d-----w- c:\program files\TrendMicro
2010-01-03 04:57:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 04:57:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 04:57:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 04:57:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-03 04:11:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-03 04:11:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 04:11:43 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-01-03 04:11:22 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-01 00:49:15 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-01 00:49:15 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-01 00:49:15 13168 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-31 10:44:45 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-29 09:50:39 888832 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2009-12-29 09:50:39 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-29 09:50:39 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-29 09:50:39 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-29 09:50:39 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-29 09:50:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-12-29 09:50:38 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-29 09:50:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-12-29 09:50:38 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-12-27 15:56:49 0 d-----w- C:\Hotspot Shield
2009-12-27 15:56:32 0 d-----w- c:\program files\Hotspot Shield
2009-12-25 05:23:59 0 d-----w- c:\docume~1\admini~1\applic~1\Skydur
2009-12-20 19:20:44 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-20 11:10:03 269824 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-12-20 11:10:03 269824 ------w- c:\windows\system32\drivers\bthport.sys
2009-12-20 11:08:31 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-12-20 11:08:15 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-12-20 11:07:58 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-20 11:07:30 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-20 11:07:02 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-12-20 11:05:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-20 11:04:56 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-20 11:04:54 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-12-20 11:04:54 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-12-20 11:04:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-12-20 11:04:54 292352 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-12-20 11:04:54 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-12-20 11:04:53 674816 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-12-20 11:04:53 598016 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-12-20 11:04:53 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-20 10:55:10 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-20 10:54:43 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-20 10:47:21 2144768 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-20 10:47:20 2023424 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-20 10:47:19 2065664 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-20 10:46:07 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-12-20 10:45:54 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-20 10:45:35 1203922 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2009-12-20 10:45:34 207360 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-12-20 10:45:32 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-12-20 10:44:04 0 d-----w- c:\windows\system32\PreInstall
2009-12-20 10:44:03 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-12-20 10:44:02 0 d--h--w- c:\windows\$hf_mig$
2009-12-20 10:26:15 0 d-----w- c:\program files\CCleaner
2009-12-20 10:23:39 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-12-18 09:40:29 0 d-----w- c:\documents and settings\all users\Application DataStorm
2009-12-16 12:07:19 88952 ----a-w- c:\windows\system32\Packet.dll
2009-12-16 12:07:19 68480 ----a-w- c:\windows\system32\WanPacket.dll
2009-12-16 12:07:19 42000 ----a-w- c:\windows\system32\drivers\npf.sys
2009-12-16 12:07:19 240496 ----a-w- c:\windows\system32\wpcap.dll
2009-12-16 12:07:02 32768 ----a-w- c:\windows\system32\myInsDll.exe
2009-12-16 12:07:02 256 ----a-w- c:\windows\system32\Unamsmqnws.dat
2009-12-16 12:07:00 0 d-----w- c:\program files\common files\PushWare
2009-12-16 12:06:59 0 d-----w- c:\windows\MICROSOFT
2009-12-16 12:06:24 0 d--h--r- C:\sa.exe
2009-12-16 12:05:36 19968 -c--a-w- c:\windows\system32\dllcache\linkinfo.dll

==================== Find3M ====================

2010-01-03 01:13:41 4736 ----a-w- c:\windows\system32\cid_store.dat
2009-12-21 19:18:36 81710 ----a-w- c:\windows\system32\prfc0804.dat
2009-12-21 19:18:36 153988 ----a-w- c:\windows\system32\prfh0804.dat
2009-12-16 12:07:19 49152 -c--a-w- c:\windows\system32\npptools.dll
2009-11-22 07:38:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 17:27:57 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-21 17:27:57 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-12 21:42:18 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-11-12 21:42:16 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-10-29 07:41:45 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:41:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:41:36 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:41 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:41 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:32:36 268288 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:20 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:20 148480 ----a-w- c:\windows\system32\rastls.dll

============= FINISH: 14:24:47,54 ===============

**broni** · 3rd January 2010

Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

Restart computer.

==============================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Terminate memory threats before quarantining.

* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.

Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.

* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

vanxiaolan · 4th January 2010

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2010 at 07:54 PM

Application Version : 4.32.1000

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:20:29

Memory items scanned : 211
Memory threats detected : 0
Registry items scanned : 4464
Registry threats detected : 0
File items scanned : 8106
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bellcan.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt

vanxiaolan · 4th January 2010

There was an issue but I managed to fix it. New logs coming soon. Thanks again for your time!

vanxiaolan · 4th January 2010

The first log mysteriously disapeared... after the scan the computer crashed. Rescanned a second time, this is the log:

Malwarebytes' Anti-Malware 1.43
Database version: 3491
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

04/01/2010 23:42:47
mbam-log-2010-01-04 (23-42-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 122194
Time elapsed: 11 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\shell.fne (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\dp1.fne (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\eAPI.fne (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\HtmlView.fne (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\shell.fne (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\dp1.fne (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\eAPI.fne (Trojan.Agent) -> No action taken.

vanxiaolan · 4th January 2010

** From meboubou: This computer is hell itself. I've passed each scan at least twice and everything crashes at least once out of 2. Gmer has crashed yet again and I can't get a log file. Do you want Hijackthis logs now?

**broni** · 5th January 2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

vanxiaolan · 5th January 2010

ComboFix 10-01-04.01 - Administrator 05/01/2010 19:40:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.33.2052.18.2008.1377 [GMT 8:00]
执行位置: D:\UserData\Administrator\My Documents\Téléchargements\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\cnvpe.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\dp1.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\eAPI.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\HtmlView.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\internet.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\shell.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\spec.fne
C:\Program Files\StormII
C:\Program Files\StormII\GdiPlus.dll
C:\Program Files\StormII\StormExcept.log
C:\WINDOWS\Fonts\tbh.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\msconfig.exe
C:\WINDOWS\system32\OEMLINK.REG
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SAFEBOXKRNL
-------\Service_npf
-------\Service_SafeBoxKrnl

vanxiaolan · 5th January 2010

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 19:47:01, on 05/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\B8A091\54FAF1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files\360\360Safe\safemon\safemon.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [54FAF1] C:\WINDOWS\system32\B8A091\54FAF1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Livestation] C:\Program Files\Livestation\Livestation.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{92FBB915-40BA-45E5-B815-F5DBA54971F9}: NameServer = 61.128.128.68,202.202.192.29
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD0A590-06AF-40F5-8800-3F877CBCF967}: NameServer = 221.5.203.98 221.7.92.98
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui ?¤?ó??3ìDò - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: ×é?tàà±e?o′?3ìDò - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)

--
End of file - 8975 bytes

**broni** · 6th January 2010

Combofix log is incomplete.

vanxiaolan · 6th January 2010

That's all I got from it... I'm not sure if it 'acted' normally either, while I ran combofix, the computer rebooted, the logs were automaticly saved before it rebooted... then combofix kep going, but no logs, nor could I save any. Should I run it again?

**broni** · 6th January 2010

Please do.

vanxiaolan · 6th January 2010

Can I simply take this machine and throw it out of the window?
...
Actually it's a brand new laptop... bought it in September... Euhm, combofix won't run anymore. I deleted it, re-downloaded and still nothing. I have followed every step by desactivating AVG and everything... ... ... Next step?