Solved help with Bloodhound.Packed.Jmp and Infostealer.Gampass viruses

[Resolved] help with Bloodhound.Packed.Jmp and Infostealer.Gampass viruses

Hi first time poster, my sister plugged her external hdd into my pc now norton is telling me i have been infected with both Bloodhound.Packed.Jmp and Infostealer.Gampass viruses, it seemed to have quarantined them but can't seem to be able to remove them...i am not experienced with dealing with viruses any step by step help in removing the virus would be much appreciated

thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:51 PM, on 1/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\MSN Messenger\usnsvc.exe
E:\Valve\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program

Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef

/Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-

Fi\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module

Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module

Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module

Loader\Audio Emulator\AudDrvEm.dll "
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume

Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe"

1
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-

PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program

Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region

Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05

\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0

\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32

\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default

user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy

-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2

\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} -

C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}:

NameServer = 203.12.160.35,203.12.160.36
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1

\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering -

C:\Program Files\nHancer\nHancerService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner -

C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe

--
End of file - 8016 bytes

 

Welcome to WindowsBBS basketballfreak

We need to use another tool to get a better look at things. Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

hi noah, thanks for replying, here is the contents of main.txt as requested

Deckard's System Scanner v20071014.68
Run by Tony Liu on 2008-04-03 16:22:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-03 06:22:41 UTC - RP1 - 系統檢查點


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.7 GiB (less than 15%) free.


-- HijackThis (run as Tony Liu.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:23 PM, on 3/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Documents and Settings\Tony Liu\桌面\dss.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tony Liu.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8687 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 RegKill - c:\windows\system32\drivers\regkill.sys <Not Verified; Elaborate Bytes; DVD Region Killer>

S3 catchme - c:\docume~1\tonyli~1\locals~1\temp\catchme.sys (file missing)
S3 cpuz128 - c:\docume~1\tonyli~1\locals~1\temp\cpuz_x32.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 RivaTuner32 - c:\program files\rivatuner v2.06\rivatuner32.sys
S3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 nHancer (nHancer Support) - "c:\program files\nhancer\nhancerservice.exe" <Not Verified; KSE - Korndorfer Software Engineering; nHancer>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
Device ID: USB\VID_0BDA&PID_8187\0015AF03BA5C
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter
PNP Device ID: USB\VID_0BDA&PID_8187\0015AF03BA5C
Service: RTLWUSB

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6500c
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6500c
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-03-27 13:51:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-03 and 2008-04-03 -----------------------------

2008-04-02 21:02:29 0 -----n--- C:\WINDOWS\system32\tavo1.dll
2008-04-02 21:02:21 117715 -r-hs---- C:\rjiybg.exe
2008-04-02 21:01:55 117715 -r-hs---- C:\WINDOWS\system32\kavo.exe
2008-04-02 20:55:47 0 d-------- C:\Program Files\Alwil Software
2008-04-01 22:56:57 0 d-------- C:\WINDOWS\ERUNT
2008-04-01 22:22:59 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
2008-04-01 22:22:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 22:22:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 21:57:23 0 d-------- C:\Documents and Settings\Tony Liu\.housecall6.6
2008-04-01 21:33:00 0 d-------- C:\Documents and Settings\Test Account\Application Data\Mozilla
2008-04-01 21:32:17 0 d-------- C:\Documents and Settings\Test Account\Application Data\Real
2008-04-01 21:32:07 0 d-------- C:\Documents and Settings\Test Account\Application Data\Identities
2008-04-01 21:32:00 0 d-------- C:\Documents and Settings\Test Account\桌面
2008-04-01 21:32:00 0 d--h----- C:\Documents and Settings\Test Account\Templates
2008-04-01 21:32:00 0 dr-h----- C:\Documents and Settings\Test Account\SendTo
2008-04-01 21:32:00 0 dr-h----- C:\Documents and Settings\Test Account\Recent
2008-04-01 21:32:00 0 d--h----- C:\Documents and Settings\Test Account\PrintHood
2008-04-01 21:32:00 0 d--h----- C:\Documents and Settings\Test Account\NetHood
2008-04-01 21:32:00 0 dr------- C:\Documents and Settings\Test Account\My Documents
2008-04-01 21:32:00 0 d--h----- C:\Documents and Settings\Test Account\Local Settings
2008-04-01 21:32:00 0 dr------- C:\Documents and Settings\Test Account\Favorites
2008-04-01 21:32:00 0 d--hs---- C:\Documents and Settings\Test Account\Cookies
2008-04-01 21:32:00 0 dr-h----- C:\Documents and Settings\Test Account\Application Data
2008-04-01 21:32:00 0 d---s---- C:\Documents and Settings\Test Account\Application Data\Microsoft
2008-04-01 21:32:00 0 dr------- C:\Documents and Settings\Test Account\「開始」功能表
2008-04-01 21:31:59 1048576 --ah----- C:\Documents and Settings\Test Account\NTUSER.DAT
2008-04-01 20:54:36 0 d-------- C:\Program Files\Trend Micro
2008-04-01 20:23:34 0 d-------- C:\!KillBox
2008-04-01 20:02:22 108253 -r-hs---- C:\WINDOWS\system32\tavo.exe
2008-04-01 20:01:45 125952 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2008-03-30 20:40:06 0 d-------- C:\WINDOWS\nview
2008-03-30 20:39:35 0 d-------- C:\NVIDIA
2008-03-24 19:52:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2008-03-24 19:52:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-03-24 19:52:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-03-24 19:52:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-03-24 19:52:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2008-03-24 19:52:00 1482752 --a------ C:\WINDOWS\system32\nview.dll
2008-03-24 19:52:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-03-24 19:52:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-03-24 19:52:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-03-23 15:21:47 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
2008-03-18 18:41:09 0 d-------- C:\Program Files\VideoLAN
2008-03-18 18:30:50 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
2008-03-13 22:44:15 0 d-------- C:\Documents and Settings\Tony Liu\Phone Browser
2008-03-13 22:43:25 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-13 22:43:13 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-13 22:42:47 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
2008-03-13 22:42:42 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-13 22:42:32 0 d-------- C:\Program Files\Nokia
2008-03-13 22:41:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-11 20:27:57 24888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 18:21:12 0 d-------- C:\WINDOWS\nvidia icons


-- Find3M Report ---------------------------------------------------------------

2008-04-03 15:19:40 0 d-------- C:\Program Files\eMule
2008-03-30 20:57:33 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Bioshock
2008-03-22 23:05:27 23 --a------ C:\WINDOWS\popcinfot.dat
2008-03-13 22:43:12 0 d-------- C:\Program Files\DIFX
2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files
2008-03-09 09:00:36 0 d-------- C:\Program Files\Java
2008-03-02 22:44:11 0 d-------- C:\Program Files\VirtualDub
2008-03-02 22:44:01 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-02-25 17:55:22 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-25 04:11:31 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Adobe
2008-02-21 23:05:18 0 d-------- C:\Program Files\ffdshow
2008-02-15 16:18:34 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-14 22:54:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-13 21:59:36 0 d-------- C:\Program Files\GetRight
2008-02-13 21:59:35 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [02/03/2006 10:00 PM]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/03/2006 10:00 PM]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/03/2006 10:00 PM]
"amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [17/11/2006 04:49 PM]
"CTHelper "= "CTHELPER.EXE" [17/08/2006 11:32 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [17/08/2006 11:32 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00 AM]
"RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []
"AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []
"VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [14/10/2005 11:01 AM]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00 AM]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [21/05/2003 01:21 AM]
"Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [09/05/2007 10:38 AM]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14/01/2004 11:10 AM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/10/2007 12:48 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24 AM]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 10:57 PM]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [29/09/2006 09:58 PM]
"RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [02/11/2002 04:33 PM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [24/03/2008 07:52 PM]
"nwiz "= "nwiz.exe" [24/03/2008 07:52 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [24/03/2008 07:52 PM]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [30/03/2008 04:37 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [02/03/2006 10:00 PM]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"Steam "= "E:\Valve\Steam\Steam.exe" [01/04/2008 08:05 PM]
"tava "= "C:\WINDOWS\system32\tavo.exe" [03/04/2008 03:07 PM]
"kava "= "C:\WINDOWS\system32\kavo.exe" [02/04/2008 09:01 PM]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [26/08/2007 4:42:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\rjiybg.exe
explore\Command- C:\rjiybg.exe
open\Command- C:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\rjiybg.exe
explore\Command- D:\rjiybg.exe
open\Command- D:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\rjiybg.exe
explore\Command- E:\rjiybg.exe
open\Command- E:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\rjiybg.exe
explore\Command- F:\rjiybg.exe
open\Command- F:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\rjiybg.exe
explore\Command- G:\rjiybg.exe
open\Command- G:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\rjiybg.exe
explore\Command- H:\rjiybg.exe
open\Command- H:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\setup\rsrc\Autorun.exe
dinstall\command- J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d351-53e5-11dc-b813-806d6172696f}]
AutoRun\command- I:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d352-53e5-11dc-b813-806d6172696f}]
AutoRun\command- J:\setup\rsrc\Autorun.exe
dinstall\command- J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d354-53e5-11dc-b813-806d6172696f}]
AutoRun\command- E:\rjiybg.exe
explore\Command- E:\rjiybg.exe
open\Command- E:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d355-53e5-11dc-b813-806d6172696f}]
AutoRun\command- F:\rjiybg.exe
explore\Command- F:\rjiybg.exe
open\Command- F:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d356-53e5-11dc-b813-806d6172696f}]
AutoRun\command- D:\rjiybg.exe
explore\Command- D:\rjiybg.exe
open\Command- D:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d357-53e5-11dc-b813-806d6172696f}]
AutoRun\command- G:\rjiybg.exe
explore\Command- G:\rjiybg.exe
open\Command- G:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d358-53e5-11dc-b813-806d6172696f}]
AutoRun\command- H:\rjiybg.exe
explore\Command- H:\rjiybg.exe
open\Command- H:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2405d35a-53e5-11dc-b813-806d6172696f}]
AutoRun\command- C:\rjiybg.exe
explore\Command- C:\rjiybg.exe
open\Command- C:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{372455fc-6767-11dc-a085-001731e1e14f}]
AutoRun\command- K:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
AutoRun\command- L:\l9dwu8.bat
explore\Command- L:\l9dwu8.bat
open\Command- L:\l9dwu8.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
AutoRun\command- L:\1wod1.com
explore\Command- L:\1wod1.com
open\Command- L:\1wod1.com




-- End of Deckard's System Scanner: finished at 2008-04-03 16:23:48 ------------

 

no worries chris

sorry about that ^_^ "

 

You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

• Plug in your USB flash drive.
• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Your desktop will vanish for a while, and then reappear. This is normal.
• Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Then, download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

hi noah

here is the log from combofix:

ComboFix 08-04-03.5 - Tony Liu 2008-04-04 21:50:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1472 [GMT 10:00]
執行位置?: C:\Documents and Settings\Tony Liu\桌面\ComboFix.exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf
H:\Autorun.inf

.
(((((((((((((((((((((((((((( 2008-03-04 - 2008-04-04 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-04 21:48 . 2008-04-04 21:48 115,957 -r-hs---- C:\nl.com
2008-04-04 21:45 . 2008-04-04 21:48 81,408 -r-hs---- C:\WINDOWS\system32\tavo0.dll
2008-04-03 21:17 . 2008-04-03 21:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 21:17 . 2008-04-03 21:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 16:22 . 2008-04-03 16:22 <DIR> d-------- C:\Deckard
2008-04-02 21:02 . 2008-04-02 21:01 117,715 -r-hs---- C:\rjiybg.exe
2008-04-02 20:56 . 2008-03-30 04:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-02 20:56 . 2008-03-30 04:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-02 20:56 . 2008-01-18 02:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-02 20:56 . 2008-03-30 04:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-02 20:56 . 2008-03-30 04:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-02 20:56 . 2008-03-30 04:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-02 20:56 . 2008-03-30 04:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-02 20:56 . 2008-03-30 04:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-02 20:55 . 2008-04-02 20:55 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-02 20:55 . 2008-03-30 04:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-02 20:55 . 2004-01-09 19:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-01 22:56 . 2008-04-01 22:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 22:50 . 2008-04-01 23:03 <DIR> d-------- C:\SDFix
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 21:58 . 2008-04-01 21:57 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-01 21:57 . 2008-04-01 22:32 <DIR> d-------- C:\Documents and Settings\Tony Liu\.housecall6.6
2008-04-01 21:32 . 2007-10-13 20:26 <DIR> d-------- C:\Documents and Settings\Test Account\桌面
2008-04-01 21:32 . 2007-08-26 17:20 <DIR> dr------- C:\Documents and Settings\Test Account\「開始」功能表
2008-04-01 20:54 . 2008-04-01 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 20:40 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nview
2008-03-30 20:40 . 2008-03-24 19:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-30 20:40 . 2008-04-04 21:46 176,582 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-30 20:40 . 2008-03-24 19:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-30 20:39 . 2008-03-30 20:39 <DIR> d-------- C:\NVIDIA
2008-03-30 20:39 . 2008-03-24 11:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-23 15:21 . 2008-03-23 15:21 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
2008-03-18 18:41 . 2008-03-22 22:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-18 18:30 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\Tony Liu\Phone Browser
2008-03-13 22:43 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
2008-03-13 22:43 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
2008-03-13 22:42 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-13 22:42 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-03-13 22:42 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-13 22:42 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-13 22:41 . 2008-03-13 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-11 20:27 . 2008-03-11 20:27 24,888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 18:21 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nvidia icons

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 09:50 --------- d-----w C:\Program Files\eMule
2008-03-31 12:06 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-30 10:57 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Bioshock
2008-03-13 12:43 --------- d-----w C:\Program Files\DIFX
2008-03-08 23:00 --------- d-----w C:\Program Files\Java
2008-03-02 12:44 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-03-02 12:44 --------- d-----w C:\Program Files\VirtualDub
2008-02-25 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nHancer
2008-02-25 07:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-25 06:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2008-02-21 13:05 --------- d-----w C:\Program Files\ffdshow
2008-02-18 10:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-18 10:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-15 06:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 12:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 11:59 --------- d-----w C:\Program Files\GetRight
2007-12-27 12:22 22,328 ----a-w C:\Documents and Settings\Tony Liu\Application Data\PnkBstrK.sys
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 22:00 15360]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Steam "= "E:\Valve\Steam\Steam.exe" [2008-04-01 20:05 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 22:00 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"CTHelper "= "CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 10:38 2130432]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 00:48 185896]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 21:58 49152]
"RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 16:33 45056]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
"nwiz "= "nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52 86016]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 04:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 22:00 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-08-26 16:42:26 995328]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FPS1 "= frapsvid.dll
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"E:\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
"E:\\Valve\\Steam\\SteamApps\\basketballfreak6\\counter-strike source\\hl2.exe "=
"C:\\Program Files\\eMule\\emule.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe "=
"E:\\Sierra\\FEAR\\FEAR.exe "=
"E:\\Sierra\\FEAR\\FEARMP.exe "=
"E:\\Valve\\Steam\\Steam.exe "=
"C:\\Program Files\\BitComet\\BitComet.exe "=
"E:\\Unreal Tournament 3 Demo\\Binaries\\Bioshock.exe "=
"E:\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27166:TCP "= 27166:TCP:BitComet 27166 TCP
"27166:UDP "= 27166:UDP:BitComet 27166 UDP
"49152:TCP "= 49152:TCP:BitComet 49152 TCP
"49152:UDP "= 49152:UDP:BitComet 49152 UDP
"65534:TCP "= 65534:TCP:BitComet 65534 TCP
"65534:UDP "= 65534:UDP:BitComet 65534 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 04:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 04:35]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-28 07:46]
S3 cpuz128;cpuz128;C:\DOCUME~1\TONYLI~1\LOCALS~1\Temp\cpuz_x32.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-09-05 19:27]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-06-23 10:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\rjiybg.exe
\Shell\explore\Command - C:\rjiybg.exe
\Shell\open\Command - C:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\rjiybg.exe
\Shell\explore\Command - D:\rjiybg.exe
\Shell\open\Command - D:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\rjiybg.exe
\Shell\explore\Command - E:\rjiybg.exe
\Shell\open\Command - E:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\rjiybg.exe
\Shell\explore\Command - F:\rjiybg.exe
\Shell\open\Command - F:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\rjiybg.exe
\Shell\explore\Command - G:\rjiybg.exe
\Shell\open\Command - G:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\rjiybg.exe
\Shell\explore\Command - H:\rjiybg.exe
\Shell\open\Command - H:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
\Shell\AutoRun\command - L:\l9dwu8.bat
\Shell\explore\Command - L:\l9dwu8.bat
\Shell\open\Command - L:\l9dwu8.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
\Shell\AutoRun\command - L:\1wod1.com
\Shell\explore\Command - L:\1wod1.com
\Shell\open\Command - L:\1wod1.com

.
排程工作資料夾的內容
"2008-03-27 03:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 21:51:17
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
完成時間?: 2008-04-04 21:51:37
ComboFix-quarantined-files.txt 2008-04-04 11:51:29
16 個目錄 3,772,956,672 位元組可用
18 個目錄 3,760,132,096 位元組可用
.
2008-03-12 21:13:34 --- E O F ---

and here is log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:50 PM, on 4/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8526 bytes

once again thanks for your help!

EDIT:

just wanted to add to this post after i ran combofix i resetted the pc and norton did not show any virus anymore and i thought great they must be gone left pc on and went to bed (it was at least a couple of hours before i went to bed) and woke up this morning and for some reason virus quarantined message popped up again but this time the 2 files quarantined were A0001072.dll (Infostealer.Gampass) and A0001089.exe (W32.Gammima) which are different ones to the files that i usually see prior to running the combofix, (hope that made sense ^^ ") also should i run combofix etc in safe mode or it doesn't really matter thanks!

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\nl.com
C:\WINDOWS\system32\tavo0.dll
Driver::
cpuz128
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\G]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\I]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\J]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\K]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{58010984-5c65-11dc-a06f-001731e1e14f}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

hi noah

combofix:

ComboFix 08-04-03.5 - Tony Liu 2008-04-05 17:43:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1508 [GMT 10:00]
執行位置?: C:\Documents and Settings\Tony Liu\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tony Liu\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\nl.com
C:\WINDOWS\system32\tavo0.dll
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\nl.com
C:\WINDOWS\system32\tavo0.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cpuz128


(((((((((((((((((((((((((((( 2008-03-05 - 2008-04-05 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-03 21:17 . 2008-04-03 21:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 21:17 . 2008-04-03 21:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 16:22 . 2008-04-03 16:22 <DIR> d-------- C:\Deckard
2008-04-02 21:02 . 2008-04-02 21:01 117,715 -r-hs---- C:\rjiybg.exe
2008-04-02 20:56 . 2008-03-30 04:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-02 20:56 . 2008-03-30 04:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-02 20:56 . 2008-01-18 02:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-02 20:56 . 2008-03-30 04:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-02 20:56 . 2008-03-30 04:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-02 20:56 . 2008-03-30 04:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-02 20:56 . 2008-03-30 04:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-02 20:56 . 2008-03-30 04:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-02 20:55 . 2008-04-02 20:55 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-02 20:55 . 2008-03-30 04:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-02 20:55 . 2004-01-09 19:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-01 22:56 . 2008-04-01 22:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 22:50 . 2008-04-01 23:03 <DIR> d-------- C:\SDFix
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 21:58 . 2008-04-01 21:57 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-01 21:57 . 2008-04-01 22:32 <DIR> d-------- C:\Documents and Settings\Tony Liu\.housecall6.6
2008-04-01 21:32 . 2007-10-13 20:26 <DIR> d-------- C:\Documents and Settings\Test Account\桌面
2008-04-01 21:32 . 2007-08-26 17:20 <DIR> dr------- C:\Documents and Settings\Test Account\「開始」功能表
2008-04-01 20:54 . 2008-04-01 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 20:40 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nview
2008-03-30 20:40 . 2008-03-24 19:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-30 20:40 . 2008-04-05 17:48 176,582 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-30 20:40 . 2008-03-24 19:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-30 20:39 . 2008-03-30 20:39 <DIR> d-------- C:\NVIDIA
2008-03-30 20:39 . 2008-03-24 11:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-23 15:21 . 2008-03-23 15:21 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
2008-03-18 18:41 . 2008-03-22 22:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-18 18:30 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\Tony Liu\Phone Browser
2008-03-13 22:43 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
2008-03-13 22:43 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
2008-03-13 22:42 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-13 22:42 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-03-13 22:42 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-13 22:42 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-13 22:41 . 2008-03-13 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-11 20:27 . 2008-03-11 20:27 24,888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 18:21 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nvidia icons

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 09:50 --------- d-----w C:\Program Files\eMule
2008-03-30 10:57 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Bioshock
2008-03-24 09:52 6,547,872 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-13 12:43 --------- d-----w C:\Program Files\DIFX
2008-03-08 23:00 --------- d-----w C:\Program Files\Java
2008-03-02 12:44 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-03-02 12:44 --------- d-----w C:\Program Files\VirtualDub
2008-02-25 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nHancer
2008-02-25 07:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-25 06:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2008-02-21 13:05 --------- d-----w C:\Program Files\ffdshow
2008-02-18 10:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-15 06:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 12:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 11:59 --------- d-----w C:\Program Files\GetRight
2007-12-27 12:22 22,328 ----a-w C:\Documents and Settings\Tony Liu\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-04_21.51.24.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-04-05 07:48:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat
+ 2008-04-05 07:47:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 22:00 15360]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Steam "= "E:\Valve\Steam\Steam.exe" [2008-04-01 20:05 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 22:00 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"CTHelper "= "CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 10:38 2130432]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 00:48 185896]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 21:58 49152]
"RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 16:33 45056]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
"nwiz "= "nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 22:00 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-08-26 16:42:26 995328]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FPS1 "= frapsvid.dll
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"E:\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
"E:\\Valve\\Steam\\SteamApps\\basketballfreak6\\counter-strike source\\hl2.exe "=
"C:\\Program Files\\eMule\\emule.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe "=
"E:\\Sierra\\FEAR\\FEAR.exe "=
"E:\\Sierra\\FEAR\\FEARMP.exe "=
"E:\\Valve\\Steam\\Steam.exe "=
"C:\\Program Files\\BitComet\\BitComet.exe "=
"E:\\Unreal Tournament 3 Demo\\Binaries\\Bioshock.exe "=
"E:\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27166:TCP "= 27166:TCP:BitComet 27166 TCP
"27166:UDP "= 27166:UDP:BitComet 27166 UDP
"49152:TCP "= 49152:TCP:BitComet 49152 TCP
"49152:UDP "= 49152:UDP:BitComet 49152 UDP
"65534:TCP "= 65534:TCP:BitComet 65534 TCP
"65534:UDP "= 65534:UDP:BitComet 65534 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 04:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 04:35]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-28 07:46]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-09-05 19:27]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-06-23 10:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\rjiybg.exe
\Shell\explore\Command - C:\rjiybg.exe
\Shell\open\Command - C:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\rjiybg.exe
\Shell\explore\Command - D:\rjiybg.exe
\Shell\open\Command - D:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\rjiybg.exe
\Shell\explore\Command - E:\rjiybg.exe
\Shell\open\Command - E:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\rjiybg.exe
\Shell\explore\Command - F:\rjiybg.exe
\Shell\open\Command - F:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\rjiybg.exe
\Shell\explore\Command - G:\rjiybg.exe
\Shell\open\Command - G:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\rjiybg.exe
\Shell\explore\Command - H:\rjiybg.exe
\Shell\open\Command - H:\rjiybg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
\Shell\AutoRun\command - L:\l9dwu8.bat
\Shell\explore\Command - L:\l9dwu8.bat
\Shell\open\Command - L:\l9dwu8.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
\Shell\AutoRun\command - L:\1wod1.com
\Shell\explore\Command - L:\1wod1.com
\Shell\open\Command - L:\1wod1.com

.
排程工作資料夾的內容
"2008-03-27 03:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 17:48:00
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
完成時間?: 2008-04-05 17:50:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 07:50:07
ComboFix2.txt 2008-04-04 11:51:37
16 個目錄 4,104,433,664 位元組可用
18 個目錄 4,032,659,456 位元組可用
.
2008-03-12 21:13:34 --- E O F ---

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:40 PM, on 5/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Valve\Steam\Steam.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8639 bytes

many thanks!

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\rjiybg.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Hi Noah,

I have symantec antivirus software on my machine. It detected the same bloodhound.packed.jmp on my machine. However now, whenever the virus scan runs, the scan window goes in a not responding state and stays that way. I don't know if the virus scan was completed or not. When i try to close the window, it stops the scan engine and I can no longer run any scans.

Any help will be useful.

Thanks,

 

Hi ndharod

Please read this topic, install the latest version of Hijackthis, run a scan and save the log (you can close it for now). Then, download and run Deckard's System Scanner and post the main.txt in a new topic of your own. Please take note that your topic/post will not be visible until approved by a moderator.

 

hi noah, once again

combofix:

ComboFix 08-04-03.5 - Tony Liu 2008-04-06 16:47:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1451 [GMT 10:00]
執行位置?: C:\Documents and Settings\Tony Liu\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tony Liu\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\rjiybg.exe
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\rjiybg.exe

.
(((((((((((((((((((((((((((( 2008-03-06 - 2008-04-06 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-03 21:17 . 2008-04-03 21:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 21:17 . 2008-04-03 21:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 16:22 . 2008-04-03 16:22 <DIR> d-------- C:\Deckard
2008-04-02 20:56 . 2008-03-30 04:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-02 20:56 . 2008-03-30 04:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-02 20:56 . 2008-01-18 02:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-02 20:56 . 2008-03-30 04:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-02 20:56 . 2008-03-30 04:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-02 20:56 . 2008-03-30 04:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-02 20:56 . 2008-03-30 04:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-02 20:56 . 2008-03-30 04:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-02 20:55 . 2008-04-02 20:55 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-02 20:55 . 2008-03-30 04:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-02 20:55 . 2004-01-09 19:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-01 22:56 . 2008-04-01 22:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 22:50 . 2008-04-01 23:03 <DIR> d-------- C:\SDFix
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 21:58 . 2008-04-01 21:57 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-01 21:57 . 2008-04-01 22:32 <DIR> d-------- C:\Documents and Settings\Tony Liu\.housecall6.6
2008-04-01 21:32 . 2007-10-13 20:26 <DIR> d-------- C:\Documents and Settings\Test Account\桌面
2008-04-01 21:32 . 2007-08-26 17:20 <DIR> dr------- C:\Documents and Settings\Test Account\「開始」功能表
2008-04-01 20:54 . 2008-04-01 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 20:40 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nview
2008-03-30 20:40 . 2008-03-24 19:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-30 20:40 . 2008-04-06 08:34 176,582 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-30 20:40 . 2008-03-24 19:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-30 20:39 . 2008-03-30 20:39 <DIR> d-------- C:\NVIDIA
2008-03-30 20:39 . 2008-03-24 11:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-23 15:21 . 2008-03-23 15:21 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
2008-03-18 18:41 . 2008-03-22 22:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-18 18:30 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\Tony Liu\Phone Browser
2008-03-13 22:43 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
2008-03-13 22:43 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
2008-03-13 22:42 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-13 22:42 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-03-13 22:42 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-13 22:42 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-13 22:41 . 2008-03-13 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-11 20:27 . 2008-03-11 20:27 24,888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 18:21 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nvidia icons

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 09:50 --------- d-----w C:\Program Files\eMule
2008-03-31 12:06 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-30 10:57 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Bioshock
2008-03-13 12:43 --------- d-----w C:\Program Files\DIFX
2008-03-08 23:00 --------- d-----w C:\Program Files\Java
2008-03-02 12:44 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-03-02 12:44 --------- d-----w C:\Program Files\VirtualDub
2008-02-25 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nHancer
2008-02-25 07:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-25 06:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2008-02-21 13:05 --------- d-----w C:\Program Files\ffdshow
2008-02-18 10:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-18 10:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-15 06:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 12:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 11:59 --------- d-----w C:\Program Files\GetRight
2007-12-27 12:22 22,328 ----a-w C:\Documents and Settings\Tony Liu\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-04_21.51.24.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-04-05 22:34:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 22:00 15360]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Steam "= "E:\Valve\Steam\Steam.exe" [2008-04-01 20:05 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 22:00 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"CTHelper "= "CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 10:38 2130432]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 00:48 185896]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 21:58 49152]
"RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 16:33 45056]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
"nwiz "= "nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 22:00 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-08-26 16:42:26 995328]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FPS1 "= frapsvid.dll
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"E:\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
"E:\\Valve\\Steam\\SteamApps\\basketballfreak6\\counter-strike source\\hl2.exe "=
"C:\\Program Files\\eMule\\emule.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe "=
"E:\\Sierra\\FEAR\\FEAR.exe "=
"E:\\Sierra\\FEAR\\FEARMP.exe "=
"E:\\Valve\\Steam\\Steam.exe "=
"C:\\Program Files\\BitComet\\BitComet.exe "=
"E:\\Unreal Tournament 3 Demo\\Binaries\\Bioshock.exe "=
"E:\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27166:TCP "= 27166:TCP:BitComet 27166 TCP
"27166:UDP "= 27166:UDP:BitComet 27166 UDP
"49152:TCP "= 49152:TCP:BitComet 49152 TCP
"49152:UDP "= 49152:UDP:BitComet 49152 UDP
"65534:TCP "= 65534:TCP:BitComet 65534 TCP
"65534:UDP "= 65534:UDP:BitComet 65534 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 04:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 04:35]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-28 07:46]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-09-05 19:27]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-06-23 10:35]

.
排程工作資料夾的內容
"2008-03-27 03:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 16:48:46
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
完成時間?: 2008-04-06 16:49:03
ComboFix-quarantined-files.txt 2008-04-06 06:49:01
ComboFix2.txt 2008-04-05 07:50:11
ComboFix3.txt 2008-04-04 11:51:37
16 個目錄 4,023,181,312 位元組可用
18 個目錄 4,010,467,328 位元組可用
.
2008-03-12 21:13:34 --- E O F ---

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:44 PM, on 6/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8401 bytes

thanks!

 

Looks good. Lets see if we've missed anything. Please do an online scan with Kaspersky WebScanner

Click Scan Now and accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log here.

 

hey noah here is the log of the kaspersky online scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 06, 2008 11:14:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 686307
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\
N:\

Scan Statistics:
Total number of scanned objects: 120437
Number of viruses found: 10
Number of infected objects: 90
Number of suspicious objects: 0
Duration of the scan process: 02:09:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP11.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP13.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP14.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP17.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP18.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP19.dll Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP2.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP21.dll Infected: Trojan-PSW.Win32.OnLineGames.yxg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP22.dll Infected: Worm.Win32.AutoRun.dfg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP25.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP26.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP27.dll Infected: Worm.Win32.AutoRun.dfg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP28.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP29.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP3.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP30.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP31.dll Infected: Worm.Win32.AutoRun.dfg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP4.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP5.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP6.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP7.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP8.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP9.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00000.VBN Infected: Trojan.Win32.Vaklik.yp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0000.VBN Infected: Trojan.Win32.Vaklik.yp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB40000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB40002.VBN Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\history.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\key3.db Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tony Liu\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_a84.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_c0c.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_d4c.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tony Liu\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\ASUS\PC Probe II\Pci.tab Object is locked skipped
C:\QooBox\Quarantine\C\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\C\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tavo.exe.vir Infected: Trojan.Win32.Vaklik.yu skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000001.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000002.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000044.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000045.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001075.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001076.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001088.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001109.com Infected: Trojan.Win32.Vaklik.yt skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001122.exe Infected: Trojan.Win32.Vaklik.yt skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001125.exe Infected: Trojan.Win32.Vaklik.yu skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP4\A0001193.com Infected: Trojan.Win32.Vaklik.yt skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\A0001276.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\nl.com Infected: Trojan.Win32.Vaklik.yt skipped
D:\rjiybg.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000003.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000004.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000046.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000047.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001077.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001078.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001111.com Infected: Trojan.Win32.Vaklik.yt skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\change.log Object is locked skipped
E:\nl.com Infected: Trojan.Win32.Vaklik.yt skipped
E:\rjiybg.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000005.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000006.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000048.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000049.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001079.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001080.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001113.com Infected: Trojan.Win32.Vaklik.yt skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\change.log Object is locked skipped
F:\nl.com Infected: Trojan.Win32.Vaklik.yt skipped
F:\rjiybg.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000007.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000008.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000050.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000051.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001081.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001082.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001115.com Infected: Trojan.Win32.Vaklik.yt skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\change.log Object is locked skipped
G:\nl.com Infected: Trojan.Win32.Vaklik.yt skipped
G:\rjiybg.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000009.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000010.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000052.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000053.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001083.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001084.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001117.com Infected: Trojan.Win32.Vaklik.yt skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\change.log Object is locked skipped
H:\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar/KeyGen.exe Infected: not-a-virusSWTool.Win32.GetPass.h skipped
H:\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar RAR: infected - 1 skipped
H:\nl.com Infected: Trojan.Win32.Vaklik.yt skipped
H:\rjiybg.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000011.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000012.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000054.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000055.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001085.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001086.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001119.com Infected: Trojan.Win32.Vaklik.yt skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\change.log Object is locked skipped

Scan process completed.

Thanks!

 

Almost done.

First, open your Norton interface and delete all quarantined items. You should not have 2 antivirus programs active, and I recommend you uninstall one of them.

Then, delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
D:\nl.com
D:\rjiybg.exe
E:\nl.com
E:\rjiybg.exe
F:\nl.com
F:\rjiybg.exe
G:\nl.com
G:\rjiybg.exe
H:\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar
H:\nl.com
H:\rjiybg.exe

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

hey noah, this time around combofix didn't seem to run

i created the CFScript.txt as per normal and dragged it onto combofix, it showed the little green loading bar but after that nothing happened

EDIT: should mention that i just uninstalled avast and didn't restart pc prior to running combofix...would that have mattered? should i try resetting pc first then try combofix again?

thanks!

 

Hang in there a few minutes ........ I'm downloading and testing right now.

 

Yes, try restarting first. If it still won't run see if you can delete the files listed in the script manually.

 

hey noah, it worked after resetting pc

combofix:

ComboFix 08-04-04.1 - Tony Liu 2008-04-07 0:07:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1525 [GMT 10:00]
執行位置?: C:\Documents and Settings\Tony Liu\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tony Liu\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
D:\nl.com
D:\rjiybg.exe
E:\nl.com
E:\rjiybg.exe
F:\nl.com
F:\rjiybg.exe
G:\nl.com
G:\rjiybg.exe
H:\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar
H:\nl.com
H:\rjiybg.exe
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\nl.com
D:\rjiybg.exe
E:\nl.com
E:\rjiybg.exe
F:\nl.com
F:\rjiybg.exe
G:\nl.com
G:\rjiybg.exe
H:\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar
H:\nl.com
H:\rjiybg.exe

.
(((((((((((((((((((((((((((( 2008-03-06 - 2008-04-06 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-06 19:44 . 2008-04-06 19:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 19:44 . 2008-04-06 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-03 21:17 . 2008-04-03 21:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 21:17 . 2008-04-03 21:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 16:22 . 2008-04-03 16:22 <DIR> d-------- C:\Deckard
2008-04-02 20:55 . 2008-04-02 20:55 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-01 22:56 . 2008-04-01 22:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-01 22:50 . 2008-04-01 23:03 <DIR> d-------- C:\SDFix
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
2008-04-01 22:22 . 2008-04-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 21:58 . 2008-04-01 21:57 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-01 21:57 . 2008-04-01 22:32 <DIR> d-------- C:\Documents and Settings\Tony Liu\.housecall6.6
2008-04-01 21:32 . 2007-10-13 20:26 <DIR> d-------- C:\Documents and Settings\Test Account\桌面
2008-04-01 21:32 . 2007-08-26 17:20 <DIR> dr------- C:\Documents and Settings\Test Account\「開始」功能表
2008-04-01 20:54 . 2008-04-01 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 20:40 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nview
2008-03-30 20:40 . 2008-03-24 19:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-30 20:40 . 2008-04-07 00:04 176,582 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-30 20:40 . 2008-03-24 19:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-30 20:39 . 2008-03-30 20:39 <DIR> d-------- C:\NVIDIA
2008-03-30 20:39 . 2008-03-24 11:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-23 15:21 . 2008-03-23 15:21 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
2008-03-18 18:41 . 2008-03-22 22:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-18 18:30 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\Tony Liu\Phone Browser
2008-03-13 22:43 . 2008-03-25 23:06 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
2008-03-13 22:43 . 2008-03-13 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-13 22:42 . 2008-03-13 22:42 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-13 22:42 . 2008-03-13 22:43 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
2008-03-13 22:42 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-13 22:42 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-03-13 22:42 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-13 22:42 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-13 22:42 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-13 22:41 . 2008-03-13 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-03-11 20:27 . 2008-03-11 20:27 24,888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
2008-03-07 18:21 . 2008-03-30 20:40 <DIR> d-------- C:\WINDOWS\nvidia icons

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 09:50 --------- d-----w C:\Program Files\eMule
2008-03-31 12:06 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-30 10:57 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Bioshock
2008-03-13 12:43 --------- d-----w C:\Program Files\DIFX
2008-03-08 23:00 --------- d-----w C:\Program Files\Java
2008-03-02 12:44 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-03-02 12:44 --------- d-----w C:\Program Files\VirtualDub
2008-02-25 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nHancer
2008-02-25 07:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-25 06:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2008-02-21 13:05 --------- d-----w C:\Program Files\ffdshow
2008-02-18 10:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-18 10:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-15 06:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 12:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 11:59 --------- d-----w C:\Program Files\GetRight
2007-12-27 12:22 22,328 ----a-w C:\Documents and Settings\Tony Liu\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-04_21.51.24.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-04-06 13:36:29 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2005-05-24 02:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-04-06 14:05:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c08.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 22:00 15360]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Steam "= "E:\Valve\Steam\Steam.exe" [2008-04-01 20:05 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 22:00 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
"amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"CTHelper "= "CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 10:38 2130432]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 00:48 185896]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 21:58 49152]
"RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 16:33 45056]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
"nwiz "= "nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 22:00 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-08-26 16:42:26 995328]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FPS1 "= frapsvid.dll
"msacm.ac3filter "= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"E:\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
"E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
"E:\\Valve\\Steam\\SteamApps\\basketballfreak6\\counter-strike source\\hl2.exe "=
"C:\\Program Files\\eMule\\emule.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe "=
"E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe "=
"E:\\Sierra\\FEAR\\FEAR.exe "=
"E:\\Sierra\\FEAR\\FEARMP.exe "=
"E:\\Valve\\Steam\\Steam.exe "=
"C:\\Program Files\\BitComet\\BitComet.exe "=
"E:\\Unreal Tournament 3 Demo\\Binaries\\Bioshock.exe "=
"E:\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27166:TCP "= 27166:TCP:BitComet 27166 TCP
"27166:UDP "= 27166:UDP:BitComet 27166 UDP
"49152:TCP "= 49152:TCP:BitComet 49152 TCP
"49152:UDP "= 49152:UDP:BitComet 49152 UDP
"65534:TCP "= 65534:TCP:BitComet 65534 TCP
"65534:UDP "= 65534:UDP:BitComet 65534 UDP

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-28 07:46]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-09-05 19:27]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-06-23 10:35]

.
排程工作資料夾的內容
"2008-03-27 03:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 00:08:58
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
完成時間?: 2008-04-07 0:09:17
ComboFix-quarantined-files.txt 2008-04-06 14:09:10
ComboFix2.txt 2008-04-06 06:49:04
ComboFix3.txt 2008-04-05 07:50:11
ComboFix4.txt 2008-04-04 11:51:37
16 個目錄 4,046,602,240 位元組可用
18 個目錄 4,015,824,896 位元組可用
.
2008-03-12 21:13:34 --- E O F ---

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:39 AM, on 7/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\nHancer\nHancerService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Valve\Steam\Steam.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8009 bytes

thanks heaps!