1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Infected by Bloodhound.Packed.Jmp...again

Discussion in 'Malware and Virus Removal Archive' started by basketballfreak, 2008/05/12.

  1. 2008/05/12
    basketballfreak

    basketballfreak Inactive Thread Starter

    Joined:
    2008/04/01
    Messages:
    25
    Likes Received:
    0
    [Resolved] Infected by Bloodhound.Packed.Jmp...again

    got infected by Bloodhound.Packed.Jmp virus again thanks to friend's laptop...*sigh*

    below is Deckard's System Scan, thanks in advance!

    Deckard's System Scanner v20071014.68
    Run by Tony Liu on 2008-05-12 18:57:49
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as Tony Liu.exe) --------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:57:50 PM, on 12/05/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\nHancer\nHancerService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\ASUS\PC Probe II\Probe2.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
    C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Tony Liu\桌面\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\TONYLI~1.EXE

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe "
    O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
    O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8294 bytes

    -- Files created between 2008-04-12 and 2008-05-12 -----------------------------

    2008-05-10 17:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-05-10 07:52:35 0 d-------- C:\Program Files\OpenAL
    2008-05-10 00:03:42 81408 -r-hs---- C:\WINDOWS\system32\tavo1.dll
    2008-05-10 00:02:41 125952 -r-hs---- C:\WINDOWS\system32\kavo0.dll
    2008-05-09 21:04:13 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Help
    2008-05-09 21:02:59 125952 -r-hs---- C:\WINDOWS\system32\kavo1.dll
    2008-05-09 21:02:19 111418 -r-hs---- C:\WINDOWS\system32\tavo.exe
    2008-05-09 21:02:10 118245 -r-hs---- C:\j.cmd
    2008-05-09 21:01:43 118245 -r-hs---- C:\WINDOWS\system32\kavo.exe
    2008-04-14 19:35:14 2337865 --a------ C:\WINDOWS\system32\pbsvc.exe
    2008-04-14 11:33:21 0 d-------- C:\Program Files\Winamp
    2008-04-14 11:33:21 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Winamp
    2008-04-14 08:02:24 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
    2008-04-14 08:02:18 0 d-------- C:\Program Files\QO Labs


    -- Find3M Report ---------------------------------------------------------------

    2008-05-10 07:49:40 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-04-23 00:37:14 0 d-------- C:\Program Files\eMule
    2008-04-12 23:18:18 349548 --a------ C:\WINDOWS\system32\prfh0404.dat
    2008-04-12 23:18:18 111840 --a------ C:\WINDOWS\system32\prfc0404.dat
    2008-04-11 21:50:50 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Ubisoft
    2008-04-02 20:55:47 0 d-------- C:\Program Files\Alwil Software
    2008-04-01 22:22:59 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
    2008-04-01 20:54:36 0 d-------- C:\Program Files\Trend Micro
    2008-03-30 20:57:33 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Bioshock
    2008-03-25 23:06:51 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
    2008-03-25 23:06:01 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
    2008-03-24 19:52:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
    2008-03-24 19:52:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
    2008-03-24 19:52:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
    2008-03-24 19:52:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
    2008-03-24 19:52:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
    2008-03-24 19:52:00 1482752 --a------ C:\WINDOWS\system32\nview.dll
    2008-03-24 19:52:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
    2008-03-24 19:52:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
    2008-03-24 19:52:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
    2008-03-23 15:21:47 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
    2008-03-22 23:05:27 23 --a------ C:\WINDOWS\popcinfot.dat
    2008-03-22 22:27:18 0 d-------- C:\Program Files\VideoLAN
    2008-03-13 22:43:37 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
    2008-03-13 22:43:12 0 d-------- C:\Program Files\DIFX
    2008-03-13 22:43:00 0 d-------- C:\Program Files\Common Files\PCSuite
    2008-03-13 22:42:56 0 d-------- C:\Program Files\Nokia
    2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files
    2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files\Nokia
    2008-03-13 22:42:44 0 d-------- C:\Program Files\PC Connectivity Solution
    2008-03-11 20:27:57 24888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
    2008-03-02 22:44:01 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
    2008-02-13 21:59:35 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [02/03/2006 10:00 PM]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/03/2006 10:00 PM]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/03/2006 10:00 PM]
    "amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [17/11/2006 04:49 PM]
    "CTHelper "= "CTHELPER.EXE" [17/08/2006 11:32 AM C:\WINDOWS\CTHELPER.EXE]
    "CTxfiHlp "= "CTXFIHLP.EXE" [17/08/2006 11:32 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00 AM]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [14/10/2005 11:01 AM]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00 AM]
    "vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [21/05/2003 01:21 AM]
    "Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [09/05/2007 10:38 AM]
    "Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14/01/2004 11:10 AM]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/10/2007 12:48 AM]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24 AM]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 10:57 PM]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [29/09/2006 09:58 PM]
    "RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [02/11/2002 04:33 PM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [24/03/2008 07:52 PM]
    "nwiz "= "nwiz.exe" [24/03/2008 07:52 PM C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [24/03/2008 07:52 PM]
    "WinampAgent "= "C:\Program Files\Winamp\winampa.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [02/03/2006 10:00 PM]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
    "Steam "= "E:\Valve\Steam\Steam.exe" [01/04/2008 08:05 PM]
    "Vidalia "= "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" []
    "kava "= "C:\WINDOWS\system32\kavo.exe" [09/05/2008 09:02 PM]
    "tava "= "C:\WINDOWS\system32\tavo.exe" [11/05/2008 08:18 AM]

    C:\Documents and Settings\Tony Liu\「開始」功能表\程式集\啟動\
    Registration Assassin's Creed.LNK - E:\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe [11/04/2008 9:46:19 PM]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [26/08/2007 4:42:26 PM]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=1 (0x1)
    "HideStartupScripts "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=1 (0x1)
    "HideStartupScripts "=0 (0x0)
    "disableregistrytools "=0 (0x0)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
    AutoRun\command- L:\j.cmd
    explore\Command- L:\j.cmd
    open\Command- L:\j.cmd

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
    AutoRun\command- L:\1wod1.com
    explore\Command- L:\1wod1.com
    open\Command- L:\1wod1.com




    -- End of Deckard's System Scanner: finished at 2008-05-12 18:58:18 ------------
     
    basketballfreak,
    #1
  2. 2008/05/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please download Flash_Disinfector by sUBs and save it to your desktop:

    NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

    • Plug in your USB flash drive.
    • Double-click Flash_Disinfector.exe to run it.
    • Follow any prompts that may appear.
    • Your desktop will vanish for a while, and then reappear. This is normal.
    • Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

    Next, download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new dss log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/05/13
    basketballfreak

    basketballfreak Inactive Thread Starter

    Joined:
    2008/04/01
    Messages:
    25
    Likes Received:
    0
    hey noah, ran the new Flash_Disinfector on the usb drive, tried scanning it with kaspersky online scanner after that and it says the usb drive has one virus and one infected file and it is a Trojan-PSW.Win32.OnLineGames.aejw and the infected file is j.cmd

    below is log for combofix and dss

    combofix:

    ComboFix 08-05-12.1 - Tony Liu 2008-05-13 21:22:02.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1467 [GMT 10:00]
    執行位置?: C:\Documents and Settings\Tony Liu\桌面\ComboFix.exe
    * 已建立新的還原點

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\autorun.inf
    C:\WINDOWS\system32\kavo.exe
    C:\WINDOWS\system32\kavo0.dll
    C:\WINDOWS\system32\kavo1.dll
    C:\WINDOWS\system32\tavo.exe
    C:\WINDOWS\system32\tavo1.dll
    D:\Autorun.inf
    E:\Autorun.inf
    F:\Autorun.inf
    G:\Autorun.inf
    H:\Autorun.inf

    .
    (((((((((((((((((((((((((((( 2008-04-13 - 2008-05-13 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2008-05-12 18:53 . 2008-05-12 18:53 <DIR> d-------- C:\Deckard
    2008-05-10 17:36 . 2008-05-10 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-05-10 07:52 . 2008-05-10 07:52 <DIR> d-------- C:\Program Files\OpenAL
    2008-05-10 07:52 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
    2008-05-10 07:52 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
    2008-05-10 07:52 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp3C9B.tmp
    2008-05-10 07:52 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp3C9A.tmp
    2008-05-10 07:52 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
    2008-05-10 07:52 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
    2008-05-10 07:52 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
    2008-05-10 07:52 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
    2008-05-09 21:02 . 2008-05-09 21:02 118,245 -r-hs---- C:\j.cmd
    2008-04-14 19:35 . 2008-04-19 12:02 2,337,865 --a------ C:\WINDOWS\system32\pbsvc.exe
    2008-04-14 16:04 . 2008-04-17 07:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-14 16:04 . 2008-04-14 16:04 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-14 11:33 . 2008-04-14 16:00 <DIR> d-------- C:\Program Files\Winamp
    2008-04-14 11:33 . 2008-04-14 11:35 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Winamp
    2008-04-14 08:02 . 2008-04-14 16:00 <DIR> d-------- C:\Program Files\QO Labs
    2008-04-14 08:02 . 2008-04-14 08:02 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

    .
    (((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-12 10:28 --------- d-----w C:\Program Files\eMule
    2008-05-10 07:35 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-05-09 21:52 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-05-09 21:52 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-05-09 21:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-19 02:02 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
    2008-04-19 02:02 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-04-19 02:02 22,328 ----a-w C:\Documents and Settings\Tony Liu\Application Data\PnkBstrK.sys
    2008-04-19 02:02 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
    2008-04-19 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
    2008-04-11 12:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\nHancer
    2008-04-11 11:50 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Ubisoft
    2008-04-06 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-02 10:55 --------- d-----w C:\Program Files\Alwil Software
    2008-04-01 12:22 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
    2008-04-01 12:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-01 11:57 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-04-01 10:54 --------- d-----w C:\Program Files\Trend Micro
    2008-03-30 10:57 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Bioshock
    2008-03-25 13:06 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
    2008-03-25 13:06 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Nokia
    2008-03-24 01:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
    2008-03-23 05:21 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\vlc
    2008-03-22 12:27 --------- d-----w C:\Program Files\VideoLAN
    2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-13 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
    2008-03-13 12:43 --------- d-----w C:\Program Files\DIFX
    2008-03-13 12:43 --------- d-----w C:\Program Files\Common Files\PCSuite
    2008-03-13 12:43 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\PC Suite
    2008-03-13 12:42 --------- d-----w C:\Program Files\PC Connectivity Solution
    2008-03-13 12:42 --------- d-----w C:\Program Files\Nokia
    2008-03-13 12:42 --------- d-----w C:\Program Files\Common Files\Nokia
    2008-03-13 12:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
    2008-03-11 10:27 24,888 ----a-w C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
    2008-03-02 12:44 720,896 ----a-w C:\WINDOWS\iun6002.exe
    2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:33 45,056 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-13 11:59 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
    .

    (((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *注意* 空白或合法的登錄值將不會顯示

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 22:00 15360]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
    "Steam "= "E:\Valve\Steam\Steam.exe" [2008-04-01 20:05 1271032]
    "Vidalia "= "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 22:00 208952]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
    "amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
    "CTHelper "= "CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
    "Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 10:38 2130432]
    "Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 00:48 185896]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 21:58 49152]
    "RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 16:33 45056]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
    "nwiz "= "nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52 86016]
    "WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 22:00 15360]

    C:\Documents and Settings\Tony Liu\「開始」功能表\程式集\啟動\
    Registration Assassin's Creed.LNK - E:\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe [2008-04-11 21:46:19 967304]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-08-26 16:42:26 995328]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter "= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "E:\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
    "E:\\Valve\\Steam\\SteamApps\\basketballfreak6\\counter-strike source\\hl2.exe "=
    "C:\\Program Files\\eMule\\emule.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe "=
    "E:\\Sierra\\FEAR\\FEAR.exe "=
    "E:\\Sierra\\FEAR\\FEARMP.exe "=
    "E:\\Valve\\Steam\\Steam.exe "=
    "C:\\Program Files\\BitComet\\BitComet.exe "=
    "E:\\Unreal Tournament 3 Demo\\Binaries\\Bioshock.exe "=
    "E:\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
    "E:\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe "=
    "E:\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe "=
    "E:\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe "=
    "E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
    "E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe "=
    "E:\\Codemasters\\GRID Demo\\GRID.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "27166:TCP "= 27166:TCP:BitComet 27166 TCP
    "27166:UDP "= 27166:UDP:BitComet 27166 UDP
    "49152:TCP "= 49152:TCP:BitComet 49152 TCP
    "49152:UDP "= 49152:UDP:BitComet 49152 UDP
    "65534:TCP "= 65534:TCP:BitComet 65534 TCP
    "65534:UDP "= 65534:UDP:BitComet 65534 UDP

    R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
    R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-28 07:46]
    S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys []
    S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-09-05 19:27]
    S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-06-23 10:35]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
    \Shell\AutoRun\command - L:\1wod1.com
    \Shell\explore\Command - L:\1wod1.com
    \Shell\open\Command - L:\1wod1.com

    .
    排程工作資料夾的內容
    "2008-05-08 03:51:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-13 21:23:20
    Windows 5.1.2600 Service Pack 2 NTFS

    掃描隱藏的程序...

    掃描隱藏的進程...

    掃描隱藏的檔案...


    C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\
    C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\ 8126464 bytes
    C:\Documents and Settings\Tony Liu\ 1769472 bytes
    C:\Documents and Settings\Tony Liu\ 178 bytes
    C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\

    掃描完成
    隱藏檔案?: 28

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    完成時間?: 2008-05-13 21:23:51
    ComboFix-quarantined-files.txt 2008-05-13 11:23:47
    ComboFix2.txt 2008-04-06 14:09:18

    15 個目錄 8,405,057,536 位元組可用
    17 個目錄 9,020,362,752 位元組可用

    207 --- E O F --- 2008-04-12 13:19:02


    dss:

    Deckard's System Scanner v20071014.68
    Run by Tony Liu on 2008-05-13 21:28:46
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as Tony Liu.exe) --------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:28:47 PM, on 13/05/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\nHancer\nHancerService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\ASUS\PC Probe II\Probe2.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
    C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Tony Liu\桌面\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\TONYLI~1.EXE

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Steam] "E:\Valve\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe "
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{87EC2968-7049-4211-BEDE-58D709DA0209}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8075 bytes

    -- Files created between 2008-04-13 and 2008-05-13 -----------------------------

    2008-05-13 21:21:40 68096 --a------ C:\WINDOWS\zip.exe
    2008-05-13 21:21:40 49152 --a------ C:\WINDOWS\VFind.exe
    2008-05-13 21:21:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-05-13 21:21:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-05-13 21:21:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-05-13 21:21:40 98816 --a------ C:\WINDOWS\sed.exe
    2008-05-13 21:21:40 80412 --a------ C:\WINDOWS\grep.exe
    2008-05-13 21:21:40 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-05-10 17:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-05-10 07:52:35 0 d-------- C:\Program Files\OpenAL
    2008-05-09 21:04:13 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Help
    2008-05-09 21:02:10 118245 -r-hs---- C:\j.cmd
    2008-04-14 19:35:14 2337865 --a------ C:\WINDOWS\system32\pbsvc.exe
    2008-04-14 11:33:21 0 d-------- C:\Program Files\Winamp
    2008-04-14 11:33:21 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Winamp
    2008-04-14 08:02:24 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
    2008-04-14 08:02:18 0 d-------- C:\Program Files\QO Labs


    -- Find3M Report ---------------------------------------------------------------

    2008-05-12 20:28:56 0 d-------- C:\Program Files\eMule
    2008-05-10 07:49:40 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-04-12 23:18:18 349548 --a------ C:\WINDOWS\system32\prfh0404.dat
    2008-04-12 23:18:18 111840 --a------ C:\WINDOWS\system32\prfc0404.dat
    2008-04-11 21:50:50 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Ubisoft
    2008-04-02 20:55:47 0 d-------- C:\Program Files\Alwil Software
    2008-04-01 22:22:59 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
    2008-04-01 20:54:36 0 d-------- C:\Program Files\Trend Micro
    2008-03-30 20:57:33 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Bioshock
    2008-03-25 23:06:51 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia
    2008-03-25 23:06:01 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
    2008-03-24 19:52:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
    2008-03-24 19:52:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
    2008-03-24 19:52:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
    2008-03-24 19:52:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
    2008-03-24 19:52:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
    2008-03-24 19:52:00 1482752 --a------ C:\WINDOWS\system32\nview.dll
    2008-03-24 19:52:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
    2008-03-24 19:52:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
    2008-03-24 19:52:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
    2008-03-23 15:21:47 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\vlc
    2008-03-22 23:05:27 23 --a------ C:\WINDOWS\popcinfot.dat
    2008-03-22 22:27:18 0 d-------- C:\Program Files\VideoLAN
    2008-03-13 22:43:37 0 d-------- C:\Documents and Settings\Tony Liu\Application Data\PC Suite
    2008-03-13 22:43:12 0 d-------- C:\Program Files\DIFX
    2008-03-13 22:43:00 0 d-------- C:\Program Files\Common Files\PCSuite
    2008-03-13 22:42:56 0 d-------- C:\Program Files\Nokia
    2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files
    2008-03-13 22:42:56 0 d-------- C:\Program Files\Common Files\Nokia
    2008-03-13 22:42:44 0 d-------- C:\Program Files\PC Connectivity Solution
    2008-03-11 20:27:57 24888 --a------ C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
    2008-03-02 22:44:01 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
    2008-02-13 21:59:35 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [02/03/2006 10:00 PM]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/03/2006 10:00 PM]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/03/2006 10:00 PM]
    "amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [17/11/2006 04:49 PM]
    "CTHelper "= "CTHELPER.EXE" [17/08/2006 11:32 AM C:\WINDOWS\CTHELPER.EXE]
    "CTxfiHlp "= "CTXFIHLP.EXE" [17/08/2006 11:32 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00 AM]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [14/10/2005 11:01 AM]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00 AM]
    "vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [21/05/2003 01:21 AM]
    "Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [09/05/2007 10:38 AM]
    "Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14/01/2004 11:10 AM]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/10/2007 12:48 AM]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24 AM]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 10:57 PM]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [29/09/2006 09:58 PM]
    "RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [02/11/2002 04:33 PM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [24/03/2008 07:52 PM]
    "nwiz "= "nwiz.exe" [24/03/2008 07:52 PM C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [24/03/2008 07:52 PM]
    "WinampAgent "= "C:\Program Files\Winamp\winampa.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [02/03/2006 10:00 PM]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
    "Steam "= "E:\Valve\Steam\Steam.exe" [01/04/2008 08:05 PM]
    "Vidalia "= "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" []

    C:\Documents and Settings\Tony Liu\「開始」功能表\程式集\啟動\
    Registration Assassin's Creed.LNK - E:\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe [11/04/2008 9:46:19 PM]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [26/08/2007 4:42:26 PM]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=1 (0x1)
    "HideStartupScripts "=0 (0x0)
    "DisableRegistryTools "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=1 (0x1)
    "HideStartupScripts "=0 (0x0)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
    AutoRun\command- L:\1wod1.com
    explore\Command- L:\1wod1.com
    open\Command- L:\1wod1.com




    -- End of Deckard's System Scanner: finished at 2008-05-13 21:29:05 ------------


    many thanks!
     
    basketballfreak,
    #3
  5. 2008/05/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Insert the flash drive and open it. Look for and delete the j.cmd file if present.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
File::
C:\j.cmd
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58010984-5c65-11dc-a06f-001731e1e14f}]
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
    noahdfear,
    #4
  6. 2008/05/14
    basketballfreak

    basketballfreak Inactive Thread Starter

    Joined:
    2008/04/01
    Messages:
    25
    Likes Received:
    0
    hi noah, this is the log created by combofix:

    ComboFix 08-05-12.1 - Tony Liu 2008-05-14 21:10:44.6 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1462 [GMT 10:00]
    執行位置?: C:\Documents and Settings\Tony Liu\桌面\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Tony Liu\桌面\CFScript.txt
    * 已建立新的還原點

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\j.cmd
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\j.cmd

    .
    (((((((((((((((((((((((((((( 2008-04-14 - 2008-05-14 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2008-05-12 18:53 . 2008-05-12 18:53 <DIR> d-------- C:\Deckard
    2008-05-10 17:36 . 2008-05-10 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-05-10 07:52 . 2008-05-10 07:52 <DIR> d-------- C:\Program Files\OpenAL
    2008-05-10 07:52 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
    2008-05-10 07:52 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
    2008-05-10 07:52 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp3C9B.tmp
    2008-05-10 07:52 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp3C9A.tmp
    2008-05-10 07:52 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
    2008-05-10 07:52 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
    2008-05-10 07:52 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
    2008-05-10 07:52 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
    2008-04-14 19:35 . 2008-04-19 12:02 2,337,865 --a------ C:\WINDOWS\system32\pbsvc.exe
    2008-04-14 16:04 . 2008-04-17 07:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-14 16:04 . 2008-04-14 16:04 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-14 11:33 . 2008-04-14 16:00 <DIR> d-------- C:\Program Files\Winamp
    2008-04-14 11:33 . 2008-04-14 11:35 <DIR> d-------- C:\Documents and Settings\Tony Liu\Application Data\Winamp
    2008-04-14 08:02 . 2008-04-14 16:00 <DIR> d-------- C:\Program Files\QO Labs
    2008-04-14 08:02 . 2008-04-14 08:02 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

    .
    (((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-12 10:28 --------- d-----w C:\Program Files\eMule
    2008-05-10 07:35 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-05-09 21:52 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-05-09 21:52 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-05-09 21:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-19 02:02 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
    2008-04-19 02:02 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-04-19 02:02 22,328 ----a-w C:\Documents and Settings\Tony Liu\Application Data\PnkBstrK.sys
    2008-04-19 02:02 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
    2008-04-19 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
    2008-04-11 12:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\nHancer
    2008-04-11 11:50 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Ubisoft
    2008-04-06 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-02 10:55 --------- d-----w C:\Program Files\Alwil Software
    2008-04-01 12:22 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Malwarebytes
    2008-04-01 12:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-01 11:57 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-04-01 10:54 --------- d-----w C:\Program Files\Trend Micro
    2008-03-30 10:57 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Bioshock
    2008-03-25 13:06 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Nokia Multimedia Player
    2008-03-25 13:06 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\Nokia
    2008-03-24 01:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
    2008-03-23 05:21 --------- d-----w C:\Documents and Settings\Tony Liu\Application Data\vlc
    2008-03-22 12:27 --------- d-----w C:\Program Files\VideoLAN
    2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-11 10:27 24,888 ----a-w C:\Documents and Settings\Tony Liu\Application Data\GDIPFONTCACHEV1.DAT
    2008-03-02 12:44 720,896 ----a-w C:\WINDOWS\iun6002.exe
    2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:33 45,056 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    .

    (((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *注意* 空白或合法的登錄值將不會顯示

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 22:00 15360]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
    "Steam "= "E:\Valve\Steam\Steam.exe" [2008-04-01 20:05 1271032]
    "Vidalia "= "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 22:00 208952]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 22:00 455168]
    "amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
    "CTHelper "= "CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
    "Launch PC Probe II "= "C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 10:38 2130432]
    "Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 00:48 185896]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 21:58 49152]
    "RegKillElbyCheck "= "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 16:33 45056]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
    "nwiz "= "nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52 86016]
    "WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 22:00 15360]

    C:\Documents and Settings\Tony Liu\「開始」功能表\程式集\啟動\
    Registration Assassin's Creed.LNK - E:\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe [2008-04-11 21:46:19 967304]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-08-26 16:42:26 995328]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter "= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "E:\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe "=
    "E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe "=
    "E:\\Valve\\Steam\\SteamApps\\basketballfreak6\\counter-strike source\\hl2.exe "=
    "C:\\Program Files\\eMule\\emule.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe "=
    "E:\\Sierra\\FEAR\\FEAR.exe "=
    "E:\\Sierra\\FEAR\\FEARMP.exe "=
    "E:\\Valve\\Steam\\Steam.exe "=
    "C:\\Program Files\\BitComet\\BitComet.exe "=
    "E:\\Unreal Tournament 3 Demo\\Binaries\\Bioshock.exe "=
    "E:\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
    "E:\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe "=
    "E:\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe "=
    "E:\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe "=
    "E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
    "E:\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe "=
    "E:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe "=
    "E:\\Codemasters\\GRID Demo\\GRID.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "27166:TCP "= 27166:TCP:BitComet 27166 TCP
    "27166:UDP "= 27166:UDP:BitComet 27166 UDP
    "49152:TCP "= 49152:TCP:BitComet 49152 TCP
    "49152:UDP "= 49152:UDP:BitComet 49152 UDP
    "65534:TCP "= 65534:TCP:BitComet 65534 TCP
    "65534:UDP "= 65534:UDP:BitComet 65534 UDP

    R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
    R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-28 07:46]
    S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys []
    S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-09-05 19:27]
    S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-06-23 10:35]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4afdc409-fe54-11dc-a0d4-001731e1e14f}]
    \Shell\AutoRun\command - L:\j.cmd
    \Shell\explore\Command - L:\j.cmd
    \Shell\open\Command - L:\j.cmd

    *Newly Created Service* - CATCHME
    .
    排程工作資料夾的內容
    "2008-05-08 03:51:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-14 21:11:25
    Windows 5.1.2600 Service Pack 2 NTFS

    掃描隱藏的程序...

    掃描隱藏的進程...

    掃描隱藏的檔案...


    C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\
    C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\ 8126464 bytes
    C:\Documents and Settings\Tony Liu\ 2052096 bytes
    C:\Documents and Settings\Tony Liu\ 178 bytes
    C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\C:\Documents and Settings\Tony Liu\

    掃描完成
    隱藏檔案?: 28

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    完成時間?: 2008-05-14 21:11:53
    ComboFix-quarantined-files.txt 2008-05-14 11:11:44
    ComboFix2.txt 2008-05-13 11:23:51
    ComboFix3.txt 2008-04-06 14:09:18

    15 個目錄 8,994,717,696 位元組可用
    16 個目錄 8,983,732,224 位元組可用

    192 --- E O F --- 2008-04-12 13:19:02

    thanks!
     
    basketballfreak,
    #5
  7. 2008/05/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Were you able to locate and delete the j.cmd file on the flash drive?

    Run ATF Cleaner to clean all temp files, prefetch and empty recycle bin, then reboot.
    Run Kaspersky online again, save the report and post it here please.
     
    noahdfear,
    #6
  8. 2008/05/15
    basketballfreak

    basketballfreak Inactive Thread Starter

    Joined:
    2008/04/01
    Messages:
    25
    Likes Received:
    0
    hey noah, with the j.cmd file on the flash drive what i ended up doing was going into cmd and typed in "attrib -r -a -s -h *.*" under the flash drive which un-hid all hidden files and then i manually deleted j.cmd and autorun while in cmd which seems to have removed it

    ran ATF Cleaner and rebooted pc so far norton haven't picked up any virus which is good sign...will post back results again once i done kaspersky scan etc

    thanks!
     
    basketballfreak,
    #7
  9. 2008/05/15
    basketballfreak

    basketballfreak Inactive Thread Starter

    Joined:
    2008/04/01
    Messages:
    25
    Likes Received:
    0
    hey noah, here is the result from the kaspersky scan:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, May 16, 2008 6:43:56 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 15/05/2008
    Kaspersky Anti-Virus database records: 775015
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\
    K:\
    M:\
    N:\

    Scan Statistics:
    Total number of scanned objects: 142945
    Number of viruses found: 2
    Number of infected objects: 8
    Number of suspicious objects: 0
    Duration of the scan process: 01:53:54

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Tony Liu\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Tony Liu\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_948.dat Object is locked skipped
    C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_9cc.dat Object is locked skipped
    C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Tony Liu\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Tony Liu\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\ASUS\PC Probe II\Pci.tab Object is locked skipped
    C:\QooBox\Quarantine\C\j.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\tavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aeno skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    F:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    G:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    H:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aejw skipped
    H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.

    thanks!
     
    basketballfreak,
    #8
  10. 2008/05/15
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    A few more j.cmd files to delete, probably all with hidden attributes again.
    Paste the contents of the code box below in a command window and they should go away quietly.

    Code:
    attrib -r -h -s D:\j.cmd
attrib -r -h -s E:\j.cmd
attrib -r -h -s F:\j.cmd
attrib -r -h -s G:\j.cmd
attrib -r -h -s H:\j.cmd
del /q D:\j.cmd
del /q E:\j.cmd
del /q F:\j.cmd
del /q G:\j.cmd
del /q H:\j.cmd
exit
cls
    When done, click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security.

    Please plug your flash drive back in and run Flash_Disinfector again. Then delete Flash_Disinfector.

    Let me know if you're having any other issues.
     
    noahdfear,
    #9
  11. 2008/05/17
    basketballfreak

    basketballfreak Inactive Thread Starter

    Joined:
    2008/04/01
    Messages:
    25
    Likes Received:
    0
    hey noah, seems like everything's removed :)

    as always, thanks very much for your help, very much appreciated!
     
    basketballfreak,
    #10
  12. 2008/05/17
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Glad I could help. :)
     
    noahdfear,
    #11

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...