infostealer.gamepass - virus can't be killed

picaso · 2007/03/28

Hi there,

My PC recently infected by a virus called infostealer.gamepass, NAV keeps pop-up the warning but can't kill the virus at all. After deleted some infected files and dll the case becomes worst, now it is in the norton.dll. And it keeps adding a **** site short cut in my desktop, annoying enough... -- "

I have performed the spybot S&D and Ad-Aware Scanning already, and here is my HJT log file. Can any expert here help me to solve this problem?

Many Thanks!

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 21:23:35, on 28/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\SysDayN6\svchost.exe
C:\SysWsj6\svchost.exe
C:\SysAd5D\svchost.exe
C:\Syswm1h\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\86B9D630.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [nortons] C:\WINDOWS\nortons.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: NetGet搜索文件 - C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D8CE68-6A9B-40E9-B316-4D71CE712114}: NameServer = 218.102.62.71 205.252.144.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{06D8CE68-6A9B-40E9-B316-4D71CE712114}: NameServer = 218.102.62.71 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

TeMerc · 2007/03/28

Hello and welcome to WindowsBBS Forums.

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [nortons] C:\WINDOWS\nortons.exe

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\nortons.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

picaso · 2007/03/28

Hi,

I have done exactly as instructed. Here is the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:22, on 29/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\SysDayN6\svchost.exe
C:\SysWsj6\svchost.exe
C:\SysAd5D\svchost.exe
C:\Syswm1h\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\86B9D630.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: NetGet搜索文件 - C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

Many thanks!

TeMerc · 2007/03/28

Cripes!!

I don't know how I overlooked these:

C:\SysDayN6\svchost.exe
C:\SysWsj6\svchost.exe
C:\SysAd5D\svchost.exe
C:\Syswm1h\svchost.exe

We need to delete the following folders:
C:\SysDayN6<<<<---this folder
C:\SysWsj6<<<<---this folder
C:\SysAd5D<<<<---this folder
C:\Syswm1h<<<<---this folder

Reboot, post a new log please. Advise of any ongoing problems.

picaso · 2007/03/28

Hi,

Problematic folders deleted. But I found that a program called upxdnd.exe tried to auto start but blocked by winpatrol. Here is the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:08:47, on 29/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\SysWsj7\svchost.exe
C:\Syswm1i\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\86B9D630.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: NetGet搜索文件 - C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D8CE68-6A9B-40E9-B316-4D71CE712114}: NameServer = 218.102.62.71 205.252.144.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{06D8CE68-6A9B-40E9-B316-4D71CE712114}: NameServer = 218.102.62.71 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

TeMerc · 2007/03/28

Ok, I can't say I'm surprised, I was going to have you run another search tool, and I guess I should have.

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

No need for a HJT log file.

picaso · 2007/03/29

Hi,

Here is the sillent runner log:

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"66" = "C:\SysDayN6\svchost.exe" [null data]
"4" = "C:\SysWsj7\svchost.exe" [null data]
"50" = "C:\SysAd5D\svchost.exe" [file not found]
"333" = "C:\Syswm1i\svchost.exe" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = " "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" [ "Skype Technologies S.A."]
"H/PC Connection Agent" = " "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" " [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = " "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
"WinPatrol" = "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [ "BillP Studios"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture "
-> {HKLM...CLSID} = "BitComet Helper "
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll" [ "BitComet"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [ "Safer Networking Limited"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper "
-> {HKLM...CLSID} = "CNavExtBho Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "**** CPL **" (unwritable string)
-> {HKLM...CLSID} = "**** CPL **" (unwritable string)
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]

Thanks mate!

TeMerc · 2007/03/29

That log appears to be cut off. Let it run for a few minutes before copying it. I know an icon appears pretty quickly, but there will be a notification once the script has completely run.

picaso · 2007/03/29

Hi,

Here is the complete log file:

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"66" = "C:\SysDayN6\svchost.exe" [null data]
"4" = "C:\SysWsj7\svchost.exe" [null data]
"50" = "C:\SysAd5D\svchost.exe" [file not found]
"333" = "C:\Syswm1i\svchost.exe" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = " "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" [ "Skype Technologies S.A."]
"H/PC Connection Agent" = " "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" " [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = " "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
"WinPatrol" = "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [ "BillP Studios"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture "
-> {HKLM...CLSID} = "BitComet Helper "
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll" [ "BitComet"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [ "Safer Networking Limited"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper "
-> {HKLM...CLSID} = "CNavExtBho Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "**** CPL **" (unwritable string)
-> {HKLM...CLSID} = "**** CPL **" (unwritable string)
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx "
-> {HKLM...CLSID} = "AlcoholShellEx "
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll" [ "Alcohol Soft Development Team"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail "
-> {HKLM...CLSID} = "YMailShellExt Class "
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [ "Yahoo! Inc."]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device "
-> {HKLM...CLSID} = "Mobile Device "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Wcesview.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders "
-> {HKLM...CLSID} = "*******" (unwritable string)
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a," [MS], [file not found], [file not found], [file not found], [file not found]

HKLM\System\CurrentControlSet\Control\WOW\
<<!>> "cmdline" = "C:\WINDOWS\system32\ntvdm.exe -o" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499} "
-> {HKLM...CLSID} = "YMailShellExt Class "
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [ "Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp "

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - 執行全系統掃描 - kenny" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK: "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca" " [ "Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{C4069E3A-68F1-403E-B40E-20066696354B} "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite "
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} "
-> {HKLM...CLSID} = "Create Mobile Favorite "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite... "
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} "
-> {HKLM...CLSID} = "Create Mobile Favorite "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings ")

Added lines (compared with English-language version):
:  V e r s i o n ]

: S i g n a t u r e = " $ C H I C A G O $ "

: A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l "

:

: [ R e s t o r e H o m e P a g e ]

: A d d R e g = R e s t o r e H o m e P a g e . r e g

:

: [ R e s t o r e B r o w s e r S e t t i n g s ]

: A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g

: D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g

:

: [ R e s t o r e H o m e P a g e . r e g ]

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L %

:

: [ R e s t o r e B r o w s e r S e t t i n g s . r e g ]

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L %

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L %

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u "

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %

:

: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " "

:

: t m "

: t m "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * "

:

: [ D e l e t e T e m p l a t e s . r e g ]

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 "

:

: [ D e l e t e A u t o s e a r c h . r e g ]

: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h "

:

: [ S t r i n g s ]

: S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "

: S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h "

: S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m "

:

: ; I M P O R T A N T N O T E :

: ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s .

: ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s .

: ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S .

: M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "

:

Missing lines (compared with English-language version):
[Version]: 2 lines
[RestoreHomePage]: 1 line
[RestoreHomePage.reg]: 1 line
[RestoreBrowserSettings.reg]: 12 lines
[DeleteTemplates.reg]: 5 lines
[DeleteAutosearch.reg]: 1 line
[Strings]: 1 line
[RestoreBrowserSettings]: 2 lines
[Strings]: 3 lines

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Cyberlink RichVideo Service(CRVS), RichVideo, " "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" " [empty string]
Norton AntiVirus Auto-Protect Service, navapsvc, " "C:\Program Files\Norton AntiVirus\navapsvc.exe" " [ "Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, " "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" " [ "Symantec Corporation"]
Norton Protection Center Service, NSCService, " "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE" " [ "Symantec Corporation"]
SmartLinkService, SLService, "slserv.exe" [ "Smart Link"]
Symantec Core LC, Symantec Core LC, " "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" " [ "Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, " "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" " [ "Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, " "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" " [ "Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, " "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" " [ "Symantec Corporation"]
** LiveUpdate *** (unwritable string), ** LiveUpdate *** (unwritable string), " "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" " [ "Symantec Corporation"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 44 seconds.
---------- (total run time: 168 seconds)

TeMerc · 2007/03/29

Hi, I haven't forgotten about you, I have a couple of questions on a couple of lines which I'm trying to research, I hope to have something tonite, thanks for being patient.

picaso · 2007/03/30

Thanks mate. Take your time.

TeMerc · 2007/03/31

Sorry this has taken so long.

I'd like you to get a couple of files scanned for me please.

Please go to Jotti Online File Scanner

Just navigate to each below, hit the submit button and post results here for me to see.
C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe<<<<---this file

C:\WINDOWS\system32\ntvdm.exe<<<<---this file

TeMerc · 2007/03/31

Please download System Repair Engineer from here

Extract it to Desktop & double-click SREng.exe to run it

Select 'Smart Scan' & tick 'Verify Digital Signatures'

If you have a custom hosts file installed un-check the Hosts File box

Click on the Scan button
When finished, click on the Save Reports button & save the log to Desktop

Post the log here for me to review.

picaso · 2007/04/01

Hi,

Here is the file scanning result(only got the second file, the first file doesn't exist anymore):

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: ntvdm.exe
Status: OK
MD5 b18fb1989d210b6405ecd9ac651b05aa
Packers detected: -

Scanner results
Scan taken on 01 Apr 2007 10:46:05 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

picaso · 2007/04/01

Hi,

Here is the SREng log file:

Code:


2007-04-01,19:01:06

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Skype>< "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized>  [(Verified)Skype Technologies SA]
    <H/PC Connection Agent>< "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe ">  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <66><C:\SysDayN6\svchost.exe>  []
    <4><C:\SysWsj7\svchost.exe>  []
    <50><C:\SysAd5D\svchost.exe>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ccApp>< "C:\Program Files\Common Files\Symantec Shared\ccApp.exe ">  [(Verified)Symantec Corporation]
    <WinPatrol><C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe>  [(Verified)BillP Studios]
    <upxdnd><C:\DOCUME~1\kenny\LOCALS~1\Temp\upxdnd.exe>  []
    <Flashget>< "C:\Program Files\FlashGet\FlashGet.exe" /min>  [FlashGet.com]
    <msccrt><C:\WINDOWS\msccrt.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <MsnMsgr><;  "C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <PHIME2002A><; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><; C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <Yahoo! Pager><;  "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet>  [(Verified)Yahoo! Inc.]

==================================
Startup Folders
N/A

==================================
Services
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
  < "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe "><Adobe Systems>
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Symantec Event Manager / ccEvtMgr][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe "><Symantec Corporation>
[D726C020 / D726C020][Stopped/Auto Start]
  <C:\WINDOWS\system32\D726C020.EXE -service><Microsoft Corporation>
[E5C073A0 / E5C073A0][Stopped/Auto Start]
  <C:\WINDOWS\system32\E5C073A0.EXE -service><Microsoft Corporation>
[LiveUpdate / LiveUpdate][Stopped/Manual Start]
  < "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE "><Symantec Corporation>
[Norton AntiVirus Auto-Protect Service / navapsvc][Running/Auto Start]
  < "C:\Program Files\Norton AntiVirus\navapsvc.exe "><Symantec Corporation>
[Norton AntiVirus Firewall Monitor Service / NPFMntor][Running/Auto Start]
  < "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe "><Symantec Corporation>
[Norton Protection Center Service / NSCService][Running/Manual Start]
  < "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE "><Symantec Corporation>
[Cyberlink RichVideo Service(CRVS) / RichVideo][Running/Auto Start]
  < "C:\Program Files\CyberLink\Shared Files\RichVideo.exe "><>
[Symantec AVScan / SAVScan][Stopped/Manual Start]
  < "C:\Program Files\Norton AntiVirus\SAVScan.exe "><Symantec Corporation>
[SmartLinkService / SLService][Running/Auto Start]
  <slserv.exe><Smart Link>
[Symantec Network Drivers Service / SNDSrvc][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe "><Symantec Corporation>
[SPBBCSvc / SPBBCSvc][Stopped/Manual Start]
  < "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe "><Symantec Corporation>
[Symantec Core LC / Symantec Core LC][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe "><Symantec Corporation>
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup-->%SystemRoot%\System32\WUDFSvc.dll><Microsoft Corporation>
[自動 LiveUpdate 排程器 / 自動 LiveUpdate 排程器][Running/Auto Start]
  < "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe "><Symantec Corporation>

==================================
Drivers
[Symantec Eraser Control driver / eeCtrl][Running/System Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys><Symantec Corporation>
[EraserUtilRebootDrv / EraserUtilRebootDrv][Running/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys><Symantec Corporation>
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
  <System32\DRIVERS\Mtlmnt5.sys><Smart Link>
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
  <System32\DRIVERS\Mtlstrm.sys><Smart Link>
[NAVENG / NAVENG][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070331.004\NAVENG.Sys><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070331.004\NavEx15.Sys><Symantec Corporation>
[NtMtlFax / NtMtlFax][Stopped/Manual Start]
  <System32\DRIVERS\NtMtlFax.sys><Smart Link>
[直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RecAgent / RecAgent][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\RecAgent.sys><Smart Link>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SAVRT / SAVRT][Running/System Start]
  <\??\C:\Program Files\Norton AntiVirus\SAVRT.SYS><Symantec Corporation>
[SAVRTPEL / SAVRTPEL][Running/System Start]
  <\??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS><Symantec Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Environment Driver (version 1.x.a) / sfdrv01a][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01a.sys><Protection Technology (StarForce)>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology (StarForce)>
[StarForce Protection Synchronization Driver (version 2.x) / sfsync02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync02.sys><Protection Technology>
[StarForce Protection Synchronization Driver (version 4.x) / sfsync04][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync04.sys><Protection Technology (StarForce)>
[StarForce Protection VFS Driver (version 2.x) / sfvfs02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfvfs02.sys><Protection Technology (StarForce)>
[SiS315 / SiS315][Running/Manual Start]
  <System32\DRIVERS\sisgrp.sys><Silicon Integrated Systems Corporation>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[SiSkp / SiSkp][Running/System Start]
  <System32\DRIVERS\srvkp.sys><Silicon Integrated Systems Corporation>
[Smart Link 56K Modem Driver / Slntamr][Running/Manual Start]
  <System32\DRIVERS\slntamr.sys><Smart Link>
[SlNtHal / SlNtHal][Stopped/Manual Start]
  <System32\DRIVERS\Slnthal.sys><Smart Link>
[SlWdmSup / SlWdmSup][Running/Manual Start]
  <System32\DRIVERS\SlWdmSup.sys><Smart Link>
[SPBBCDrv / SPBBCDrv][Stopped/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys><Symantec Corporation>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[Audio Driver (WDM) - SigmaTel CODEC / STAC97][Running/Manual Start]
  <system32\drivers\STAC97.sys><SigmaTel, Inc.>
[SYMDNS / SYMDNS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMDNS.SYS><Symantec Corporation>
[SymEvent / SymEvent][Running/Manual Start]
  <\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS><Symantec Corporation>
[SYMFW / SYMFW][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMFW.SYS><Symantec Corporation>
[SYMIDS / SYMIDS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMIDS.SYS><Symantec Corporation>
[SYMIDSCO / SYMIDSCO][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070330.003\symidsco.sys><Symantec Corporation>
[symlcbrd / symlcbrd][Running/Auto Start]
  <\??\C:\WINDOWS\System32\drivers\symlcbrd.sys><Symantec Corporation>
[SYMNDIS / SYMNDIS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMNDIS.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI][Running/System Start]
  <\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[Windows Driver Foundation - User-mode Driver Framework Platform Driver / WudfPf][Stopped/Manual Start]
  <system32\DRIVERS\WudfPf.sys><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Reflector / WudfRd][Stopped/Manual Start]
  <system32\DRIVERS\wudfrd.sys><Microsoft Corporation>
[xmasbus / xmasbus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\xmasbus.sys><>
[xmasscsi / xmasscsi][Running/Boot Start]
  <\SystemRoot\System32\Drivers\xmasscsi.sys><>

==================================
Browser Add-ons
[FGCatchUrl]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[BitComet Helper]
  {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll, BitComet>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[CNavExtBho Class]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[FlashGet GetFlash Class]
  {F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[Create Mobile Favorite]
  {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} <C:\PROGRA~1\MICROS~4\INetRepl.dll, Microsoft Corporation>
[Create Mobile Favorite]
  {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} <C:\PROGRA~1\MICROS~4\INetRepl.dll, Microsoft Corporation>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\Program Files\FlashGet\FlashGet.exe, FlashGet.com>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Norton AntiVirus]
  {C4069E3A-68F1-403E-B40E-20066696354B} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[PowerList Control]
  {20C2C286-BDE8-441B-B73D-AFA22D914DA5} <C:\WINDOWS\DOWNLO~1\POWERL~1.OCX, PPStream.com>
[YInstStarter Class]
  {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} <C:\Program Files\Yahoo!\Common\yinsthelper.dll, Yahoo! Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Performance Viewer Activex Control]
  {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} <C:\WINDOWS\Downloaded Program Files\RACtrl.dll, >
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\System32\mshtml.dll, N/A>
[FGCatchUrl]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\System32\mshtmled.dll, Microsoft Corporation>
[BitComet Helper]
  {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll, BitComet>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[CNavExtBho Class]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Norton AntiVirus]
  {C4069E3A-68F1-403E-B40E-20066696354B} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[MessengerChecker Class]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, Yahoo! Inc.>
[FlashGet GetFlash Class]
  {F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[FGCatchUrl]
  {FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[&使用 FlashGet 下載]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用BitComet下載本頁視頻]
  <res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm, N/A>
[&全部使用 FlashGet 下載]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[NetGet搜索文件]
  <C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html, N/A>
[使用BitComet下載全部鏈接]
  <res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[使用BitComet下載鏈接(&B)]
  <res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[匯出至 Microsoft Excel(&X)]
  <res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 500][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 548][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1288][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\WINDOWS\system32\E5C073A0.DLL]  [Microsoft Corporation, ]
    [C:\WINDOWS\system32\D726C020.DLL]  [Microsoft Corporation, ]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCEXT.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCEXT.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Norton AntiVirus\NavShExt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\DOCUME~1\kenny\LOCALS~1\Temp\upxdnd.dll]  [N/A, ]
    [C:\Program Files\Spybot - Search & Destroy\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
[PID: 1516][C:\Program Files\Common Files\Symantec Shared\ccApp.exe]  [Symantec Corporation, 104.0.8.3]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCTRAY.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCTRAY.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL]  [Symantec Corporation, 104.0.5.3]
    [C:\WINDOWS\system32\ATL71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\rcEmlPxy.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\NORTON~1\DEFALERT.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\HPP32.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUICOR.dll]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUICOR.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\NORTON~1\HPPRES32.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\WINDOWS\system32\SYMREDIR.DLL]  [Symantec Corporation, 6.0.0.99]
    [C:\Program Files\Common Files\Symantec Shared\Security Console\NSC_Hlpr.dll]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Common Files\Symantec Shared\ccProSub.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\NORTON~1\IWP\IWP.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVAPW32.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\apwutil.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\navapw32.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\NORTON~1\NAVOPTRF.DLL]  [Symantec Corporation, 12.0.0.94]
    [C:\PROGRA~1\NORTON~1\STATUSHP.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\ccAVMail.dll]  [Symantec Corporation, 104.0.5.3]
    [C:\PROGRA~1\NORTON~1\apwutil.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\Navlcom.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\NAVError.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\HPPEVT32.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\naverror.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\apwcmdnt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\apwcmdNT.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCEvt.dll]  [Symantec Corporation, 2.1.0.4]
    [C:\Program Files\Norton AntiVirus\NAVEvent.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\IWP\SymFWAgt.dll]  [Symantec Corporation, 104.0.1.17]
    [C:\WINDOWS\system32\SymNeti.DLL]  [Symantec Corporation, 6.0.0.99]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVPS.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Common Files\Symantec Shared\ccLogin.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Norton AntiVirus\IWP\ccFWSetg.dll]  [Symantec Corporation, 104.0.1.17]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUIBL.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Norton AntiVirus\NAVOpts.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\navopts.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\NAVAPSCR.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Symantec\LiveUpdate\ProductRegCom_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\Program Files\Symantec\LiveUpdate\NetDetectController_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\Program Files\Symantec\LiveUpdate\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Symantec\LiveUpdate\LuComServerPS_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\PROGRA~1\NORTON~1\NAVTasks.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVTasks.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\N32Exclu.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\rcAlert.dll]  [Symantec Corporation, 104.0.8.3]
[PID: 1524][C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe]  [BillP Studios, 11, 1, 2007, 0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1576][C:\SysDayN6\svchost.exe]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
[PID: 1596][C:\SysWsj7\svchost.exe]  [N/A, ]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 1620][C:\Program Files\Skype\Phone\Skype.exe]  [Skype Technologies S.A., 3.0.0.218]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
[PID: 1632][C:\Program Files\Microsoft ActiveSync\Wcescomm.exe]  [Microsoft Corporation, 4.5.5096.0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1704][C:\PROGRA~1\MICROS~4\rapimgr.exe]  [Microsoft Corporation, 4.5.5096.0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
[PID: 1944][C:\Program Files\Skype\Plugin Manager\SkypePM.exe]  [Skype Technologies, 1.0.0.225]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll]  [EasyBits Software Corp., 1.0.0.599]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
[PID: 3856][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
[PID: 1104][C:\WINDOWS\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
[PID: 2864][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\FlashGet\jccatch.dll]  [www.flashget.com, 1, 8, 1, 1006]
    [C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll]  [BitComet, 20070207]
    [C:\Program Files\Spybot - Search & Destroy\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
    [C:\Program Files\Norton AntiVirus\NavShExt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\FlashGet\getflash.dll]  [www.flashget.com, 1, 8, 1, 1002]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 3992][C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe]  [Microsoft Corporation, 4.100.313.1]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]
[PID: 7424][C:\Documents and Settings\kenny\桌面\Download\sreng\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\SysDayN6\Ghook.dll]  [N/A, ]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. [ "%1" %*]
.COM  OK. [ "%1" %*]
.PIF  OK. [ "%1" %*]
.REG  OK. [regedit.exe  "%1"]
.BAT  OK. [ "%1" %*]
.SCR  OK. [ "%1" /S]
.CHM  OK. [ "C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

TeMerc · 2007/04/01

Ok, lets try to kill some files here.

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\SysDayN6\Ghook.dll
C:\SysWsj7\Ghook.dll
C:\SysWsj7\svchost.exe

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Allow reboot, but go into safe mode and delete the following folders:
C:\SysDayN6<<<<---this folder
C:\SysWsj7<<<<---this folder

Reboot back into normal mode, give me another SWEng log please. Also advise of any continued or new problems.

picaso · 2007/04/02

Hi,

Files and folders deleted, here is the new SRENG log file:

Code:


2007-04-02,18:28:54

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Skype>< "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized>  [(Verified)Skype Technologies SA]
    <H/PC Connection Agent>< "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe ">  [(Verified)Microsoft Corporation]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <msnmsgr>< "C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <66><C:\SysDayN6\svchost.exe>  [N/A]
    <4><C:\SysWsj7\svchost.exe>  [N/A]
    <50><C:\SysAd5D\svchost.exe>  [N/A]
    <333><C:\Syswm1i\svchost.exe>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ccApp>< "C:\Program Files\Common Files\Symantec Shared\ccApp.exe ">  [(Verified)Symantec Corporation]
    <WinPatrol><C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe>  [(Verified)BillP Studios]
    <upxdnd><C:\DOCUME~1\kenny\LOCALS~1\Temp\upxdnd.exe>  []
    <Flashget>< "C:\Program Files\FlashGet\FlashGet.exe" /min>  [FlashGet.com]
    <msccrt><C:\WINDOWS\msccrt.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]

==================================
Startup Folders
N/A

==================================
Services
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
  < "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe "><Adobe Systems>
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Symantec Event Manager / ccEvtMgr][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe "><Symantec Corporation>
[D726C020 / D726C020][Stopped/Auto Start]
  <C:\WINDOWS\system32\D726C020.EXE -service><Microsoft Corporation>
[E5C073A0 / E5C073A0][Stopped/Auto Start]
  <C:\WINDOWS\system32\E5C073A0.EXE -service><Microsoft Corporation>
[LiveUpdate / LiveUpdate][Stopped/Manual Start]
  < "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE "><Symantec Corporation>
[Norton AntiVirus Auto-Protect Service / navapsvc][Running/Auto Start]
  < "C:\Program Files\Norton AntiVirus\navapsvc.exe "><Symantec Corporation>
[Norton AntiVirus Firewall Monitor Service / NPFMntor][Running/Auto Start]
  < "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe "><Symantec Corporation>
[Norton Protection Center Service / NSCService][Running/Manual Start]
  < "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE "><Symantec Corporation>
[Cyberlink RichVideo Service(CRVS) / RichVideo][Running/Auto Start]
  < "C:\Program Files\CyberLink\Shared Files\RichVideo.exe "><>
[Symantec AVScan / SAVScan][Stopped/Manual Start]
  < "C:\Program Files\Norton AntiVirus\SAVScan.exe "><Symantec Corporation>
[SmartLinkService / SLService][Running/Auto Start]
  <slserv.exe><Smart Link>
[Symantec Network Drivers Service / SNDSrvc][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe "><Symantec Corporation>
[SPBBCSvc / SPBBCSvc][Stopped/Manual Start]
  < "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe "><Symantec Corporation>
[Symantec Core LC / Symantec Core LC][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe "><Symantec Corporation>
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup-->%SystemRoot%\System32\WUDFSvc.dll><Microsoft Corporation>
[自動 LiveUpdate 排程器 / 自動 LiveUpdate 排程器][Running/Auto Start]
  < "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe "><Symantec Corporation>

==================================
Drivers
[Symantec Eraser Control driver / eeCtrl][Running/System Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys><Symantec Corporation>
[EraserUtilRebootDrv / EraserUtilRebootDrv][Running/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys><Symantec Corporation>
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
  <System32\DRIVERS\Mtlmnt5.sys><Smart Link>
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
  <System32\DRIVERS\Mtlstrm.sys><Smart Link>
[NAVENG / NAVENG][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070401.018\NAVENG.Sys><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070401.018\NavEx15.Sys><Symantec Corporation>
[NtMtlFax / NtMtlFax][Stopped/Manual Start]
  <System32\DRIVERS\NtMtlFax.sys><Smart Link>
[直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RecAgent / RecAgent][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\RecAgent.sys><Smart Link>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SAVRT / SAVRT][Running/System Start]
  <\??\C:\Program Files\Norton AntiVirus\SAVRT.SYS><Symantec Corporation>
[SAVRTPEL / SAVRTPEL][Running/System Start]
  <\??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS><Symantec Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Environment Driver (version 1.x.a) / sfdrv01a][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01a.sys><Protection Technology (StarForce)>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology (StarForce)>
[StarForce Protection Synchronization Driver (version 2.x) / sfsync02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync02.sys><Protection Technology>
[StarForce Protection Synchronization Driver (version 4.x) / sfsync04][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync04.sys><Protection Technology (StarForce)>
[StarForce Protection VFS Driver (version 2.x) / sfvfs02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfvfs02.sys><Protection Technology (StarForce)>
[SiS315 / SiS315][Running/Manual Start]
  <System32\DRIVERS\sisgrp.sys><Silicon Integrated Systems Corporation>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[SiSkp / SiSkp][Running/System Start]
  <System32\DRIVERS\srvkp.sys><Silicon Integrated Systems Corporation>
[Smart Link 56K Modem Driver / Slntamr][Running/Manual Start]
  <System32\DRIVERS\slntamr.sys><Smart Link>
[SlNtHal / SlNtHal][Stopped/Manual Start]
  <System32\DRIVERS\Slnthal.sys><Smart Link>
[SlWdmSup / SlWdmSup][Running/Manual Start]
  <System32\DRIVERS\SlWdmSup.sys><Smart Link>
[SPBBCDrv / SPBBCDrv][Stopped/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys><Symantec Corporation>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[Audio Driver (WDM) - SigmaTel CODEC / STAC97][Running/Manual Start]
  <system32\drivers\STAC97.sys><SigmaTel, Inc.>
[SYMDNS / SYMDNS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMDNS.SYS><Symantec Corporation>
[SymEvent / SymEvent][Running/Manual Start]
  <\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS><Symantec Corporation>
[SYMFW / SYMFW][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMFW.SYS><Symantec Corporation>
[SYMIDS / SYMIDS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMIDS.SYS><Symantec Corporation>
[SYMIDSCO / SYMIDSCO][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070330.003\symidsco.sys><Symantec Corporation>
[symlcbrd / symlcbrd][Running/Auto Start]
  <\??\C:\WINDOWS\System32\drivers\symlcbrd.sys><Symantec Corporation>
[SYMNDIS / SYMNDIS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMNDIS.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI][Running/System Start]
  <\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[Windows Driver Foundation - User-mode Driver Framework Platform Driver / WudfPf][Stopped/Manual Start]
  <system32\DRIVERS\WudfPf.sys><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Reflector / WudfRd][Stopped/Manual Start]
  <system32\DRIVERS\wudfrd.sys><Microsoft Corporation>
[xmasbus / xmasbus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\xmasbus.sys><>
[xmasscsi / xmasscsi][Running/Boot Start]
  <\SystemRoot\System32\Drivers\xmasscsi.sys><>

==================================
Browser Add-ons
[FGCatchUrl]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[BitComet Helper]
  {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll, BitComet>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[CNavExtBho Class]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[FlashGet GetFlash Class]
  {F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[Create Mobile Favorite]
  {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} <C:\PROGRA~1\MICROS~4\INetRepl.dll, Microsoft Corporation>
[Create Mobile Favorite]
  {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} <C:\PROGRA~1\MICROS~4\INetRepl.dll, Microsoft Corporation>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\Program Files\FlashGet\FlashGet.exe, FlashGet.com>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Norton AntiVirus]
  {C4069E3A-68F1-403E-B40E-20066696354B} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[PowerList Control]
  {20C2C286-BDE8-441B-B73D-AFA22D914DA5} <C:\WINDOWS\DOWNLO~1\POWERL~1.OCX, PPStream.com>
[YInstStarter Class]
  {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} <C:\Program Files\Yahoo!\Common\yinsthelper.dll, Yahoo! Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Performance Viewer Activex Control]
  {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} <C:\WINDOWS\Downloaded Program Files\RACtrl.dll, >
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\System32\mshtml.dll, N/A>
[FGCatchUrl]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\System32\mshtmled.dll, Microsoft Corporation>
[BitComet Helper]
  {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll, BitComet>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[CNavExtBho Class]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Norton AntiVirus]
  {C4069E3A-68F1-403E-B40E-20066696354B} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[MessengerChecker Class]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, Yahoo! Inc.>
[FlashGet GetFlash Class]
  {F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[FGCatchUrl]
  {FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[&使用 FlashGet 下載]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用BitComet下載本頁視頻]
  <res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm, N/A>
[&全部使用 FlashGet 下載]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[NetGet搜索文件]
  <C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html, N/A>
[使用BitComet下載全部鏈接]
  <res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[使用BitComet下載鏈接(&B)]
  <res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[匯出至 Microsoft Excel(&X)]
  <res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 516][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 564][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1336][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\WINDOWS\system32\D726C020.DLL]  [Microsoft Corporation, ]
    [C:\WINDOWS\system32\E5C073A0.DLL]  [Microsoft Corporation, ]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCEXT.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCEXT.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Norton AntiVirus\NavShExt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Spybot - Search & Destroy\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
[PID: 1516][C:\Program Files\Common Files\Symantec Shared\ccApp.exe]  [Symantec Corporation, 104.0.8.3]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCTRAY.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCTRAY.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL]  [Symantec Corporation, 104.0.5.3]
    [C:\WINDOWS\system32\ATL71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\NORTON~1\DEFALERT.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\rcEmlPxy.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUICOR.dll]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUICOR.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\HPP32.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Common Files\Symantec Shared\ccProSub.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\WINDOWS\system32\SYMREDIR.DLL]  [Symantec Corporation, 6.0.0.99]
    [C:\Program Files\Common Files\Symantec Shared\Security Console\NSC_Hlpr.dll]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\HPPRES32.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\IWP\IWP.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\NORTON~1\NAVAPW32.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\apwutil.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\ccAVMail.dll]  [Symantec Corporation, 104.0.5.3]
    [C:\PROGRA~1\NORTON~1\navapw32.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVOPTRF.DLL]  [Symantec Corporation, 12.0.0.94]
    [C:\Program Files\Norton AntiVirus\HPPEVT32.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\STATUSHP.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\Navlcom.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\apwutil.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\NAVError.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\naverror.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\apwcmdnt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\apwcmdNT.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCEvt.dll]  [Symantec Corporation, 2.1.0.4]
    [C:\Program Files\Norton AntiVirus\NAVEvent.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Symantec\LiveUpdate\NetDetectController_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\Program Files\Symantec\LiveUpdate\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVPS.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Norton AntiVirus\IWP\SymFWAgt.dll]  [Symantec Corporation, 104.0.1.17]
    [C:\WINDOWS\system32\SymNeti.DLL]  [Symantec Corporation, 6.0.0.99]
    [C:\PROGRA~1\NORTON~1\NAVTasks.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVTasks.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\ccLogin.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Norton AntiVirus\IWP\ccFWSetg.dll]  [Symantec Corporation, 104.0.1.17]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUIBL.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Norton AntiVirus\NAVOpts.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\navopts.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\NAVAPSCR.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Symantec\LiveUpdate\ProductRegCom_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\Program Files\Symantec\LiveUpdate\LuComServerPS_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
[PID: 1536][C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe]  [BillP Studios, 11, 1, 2007, 0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 1600][C:\Program Files\Skype\Phone\Skype.exe]  [Skype Technologies S.A., 3.0.0.218]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
[PID: 1616][C:\Program Files\Microsoft ActiveSync\Wcescomm.exe]  [Microsoft Corporation, 4.5.5096.0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 1624][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 1672][C:\Program Files\MSN Messenger\msnmsgr.exe]  [Microsoft Corporation, 8.1.0178.00]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
[PID: 1716][C:\PROGRA~1\MICROS~4\rapimgr.exe]  [Microsoft Corporation, 4.5.5096.0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 264][C:\Program Files\Skype\Plugin Manager\SkypePM.exe]  [Skype Technologies, 1.0.0.225]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll]  [EasyBits Software Corp., 1.0.0.599]
[PID: 1364][C:\WINDOWS\system32\D1426130.exe]  [N/A, ]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 1312][C:\WINDOWS\system32\86B9D630.exe]  [N/A, ]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 3816][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
[PID: 236][C:\Documents and Settings\kenny\桌面\Download\sreng\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. [ "%1" %*]
.COM  OK. [ "%1" %*]
.PIF  OK. [ "%1" %*]
.REG  OK. [regedit.exe  "%1"]
.BAT  OK. [ "%1" %*]
.SCR  OK. [ "%1" /S]
.CHM  OK. [ "C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

picaso · 2007/04/02

Hi mate,

it seems that the infostealer is still there, my norton keeps popping up windows saying virus found on the following files and deletion has been taken, but they keeps coming out again and again, delete them with killbox as well?

c:/windows/nortonq.exe
c:/windows/system32/kdjs2.exe
c:/windows/system32/msccrt.dll
c:/Docume~1/wow0331[1].exe
c:/Docume~1/mh0330[1].exe
c:/Docume~1/wm0328[1].exe
c:/Docume~1/kenny/Locals~1/temp/upxdnd.dll

by the way, i found the following startup scripts in my msconfig

c:/windows/system32/msccrt.exe
c:/Docume~1/kenny/Locals~1/temp/upxdnd.exe

even i unchecked them next time i reboot a new entry will be added again.

Thank you very much for your effort and time.

Cheers,
Kenny

TeMerc · 2007/04/02

OK, well that last log I noticed two services which ought not be there, but are already disabled.

Click 'Start', select 'Run', type in cmdwhen dialog box appears, hit 'Enter'.

Paste the following into the command prompt:
sc delete D726C020
sc delete E5C073A0

Then Download Atribunes ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.

Tick the following boxes:

Windows Temp

Current User Temp

All User Temp

Cookies<<<---By deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

Temporary Internet Files

History

Prefetch

Java Cache

Click the [Empty Selected] button.

We'll empty the Recycle Bin later, once we know you're all cleaned up and nothing needs to be restored.

And back to KillBox, same procedure as previous:
c:/windows/nortonq.exe
c:/windows/system32/kdjs2.exe
c:/windows/system32/msccrt.dll
c:/Docume~1/wow0331[1].exe
c:/Docume~1/mh0330[1].exe
c:/Docume~1/wm0328[1].exe
C:\WINDOWS\system32\86B9D630.exe
C:\WINDOWS\system32\E5C073A0.EXE
C:\WINDOWS\system32\D726C020.EXE

Reboot system, new HJT and SWEng as well please. Thanks for being patient.

picaso · 2007/04/03

Hi,

Here is the fresh HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:12:09, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\SysWsj7\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\86B9D630.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\kenny\桌面\Download\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Flashget] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O8 - Extra context menu item: &使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用BitComet下載本頁視頻 - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: NetGet搜索文件 - C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html
O8 - Extra context menu item: 使用BitComet下載全部鏈接 - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: 使用BitComet下載鏈接(&B) - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D8CE68-6A9B-40E9-B316-4D71CE712114}: NameServer = 218.102.48.77 205.252.144.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{06D8CE68-6A9B-40E9-B316-4D71CE712114}: NameServer = 218.102.48.77 205.252.144.126
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: E5C073A0 - Unknown owner - C:\WINDOWS\system32\E5C073A0.EXE (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

Log in or Sign up

infostealer.gamepass - virus can't be killed

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

picaso Inactive Thread Starter

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

Share This Page

Log in or Sign up

infostealer.gamepass - virus can't be killed

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

picaso Inactive Thread Starter

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

picaso Inactive Thread Starter

TeMerc Inactive Alumni

picaso Inactive Thread Starter

Share This Page

Useful Searches